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Preface 



This volume contains the papers selected for presentation at the 1st Theory of 
Cryptography Conference (TCC) which was held at the Massachusetts Institute 
of Technology during February 19-21, 2004. The theory of cryptography deals 
with the paradigms, approaches and techniques used to conceptualize, define 
and provide solutions to natural cryptographic problems. The Theory of Cryp- 
tography Conference is a new venue dedicated to the dissemination of results in 
the area. The aim of the conference is to provide a meeting place for researchers 
and be instrumental in shaping the identity of the theory of cryptography com- 
munity. A more detailed statement of purpose (‘manifesto’) is available on the 
TCC Web site (http://www-cse.ucsd.edu/users/mihir/tcc/). 

The TCC 2004 program committee consisted of: 



Ran Canetti 
Ronald Cramer 
Cynthia Dwork 
Yuval Ishai 
Joe Kilian 
Phil Mackenzie 
Daniele Micciancio 
Moni Naor (PC Chair) 
Birgit Pfitzmann 
Omer Reingold 
Salil Vadhan 



IBM T.J. Watson Research Center, USA 

Arhus University, Denmark 

Microsoft Research, USA 

Technion, Israel 

NEC Research Labs, USA 

Bell Labs, Lucent, USA 

UCSD, USA 

Weizmann Institute, Israel 

IBM Research, Zurich, Switzerland 

AT&T Research and IAS, USA 

Harvard University and Radcliffe Institute, USA 



The program committee chose 29 papers out of the 70 submitted to the con- 
ference. Two sets of authors decided to merge, so the volume contains 28 papers 
altogether. In addition, given recent developments in the field, the committee 
decided to have a panel discussion on Cryptography and Formal Methods. 
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Abstract. Starting with the seminal paper of Impagliazzo and 
Rudich [17], there has been a large body of work showing that various 
cryptographic primitives cannot be reduced to each other via “black-box” 
reductions. The common interpretation of these results is that there are 
inherent limitations in using a primitive as a black box, and that these 
impossibility results can be overcome only by explicitly using the code 
of the primitive in the construction. 

In this paper we revisit these negative results, give a more careful tax- 
onomy of the ways in which “black-box reductions” can be formalized, 
strengthen some previous results (in particular giving unconditional im- 
possibility results for reductions that were previously only shown to im- 
ply P yf NP), and offer a new interpretation of them: in many cases, 
there is no limitation in using a primitive as a black box, but there is 
a limitation in treating adversaries as such. In particular, these nega- 
tive results may be overcome by using the code of the adversary in the 
analysis. 



1 Introduction 

In most of the current body of work in the foundations of cryptography, crypto- 
graphic protocols are not shown to be unconditionally secure, but, rather, their 
security is reduced to the security of seemingly weaker or simpler primitives. We 
now know that, if one-way functions exist, then there exist private-key encryption 
and message authentication schemes, as well as (public-key) digital signatures 

* Research supported in part by US-Israel BSF Grant 2002246. 

** Part of this research was performed while visiting the IAS, Princeton, NJ. 

* * * Supported by NSF grant CCR-9984703, a Sloan Research Fellowship and an Okawa 
Foundation Grant. 
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of this research were performed while at the IAS in Princeton and the Radcliffe 
Institute for Advanced Study at Harvard University. 
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and zero-knowledge proofs [14,12,24,21,13]. On the other hand, if one-way func- 
tions do not exist then most interesting cryptographic problems, including all of 
the above, have no solution [15,23]. 

Some cryptographic primitives, however, such as public-key encryption, 
key agreement, oblivious transfer, collision-resistant hash functions, and non- 
interactive zero knowledge, are not known to be equivalent to the existence of 
one-way functions. Furthermore, several of the known constructions based on 
one-way functions run in polynomial time but are extremely inefficient (e.g. the 
construction of pseudorandom generators from one-way functions [14], which is a 
component in several other constructions) . Since these are some of the main gaps 
in our systematization of the foundations of cryptography, it is natural to ask 
whether additional primitives, such as public-key encryption, can be constructed 
from one-way functions, and whether known constructions can be made more 
efficient. One has to be careful in formalizing such questions. It is commonly 
believed that one-way functions exist and that public-key encryption is possible, 
which would mean that the existence of one-way functions implies the existence 
of public key encryption in a trivial logical sense. The question is whether the 
techniques that we typically use to prove implications of one-way functions in 
cryptography have some inherent limitation that prevents us from deriving the 
existence of public-key encryption from one-way functions. 

Impagliazzo and Rudich [17] were the first to give a formal treatment of such 
issues. They observed that most implications in cryptography are proved using a 
reduction, where the starting primitive is treated as an oracle, or a “black box,” 
and the analysis shows that if the primitive is secure in a black-box sense then 
the constructed primitive is also secure. Impagliazzo and Rudich consider vari- 
ous models of black-box reductions (where there are some additional constraints 
beyond the primitive being treated as a black box) and show that, in one such 
model, a black-box construction of key agreement based on one-way functions 
implies a proof that P ^ NP. They also show that in a more constrained model 
such a construction is unconditionally impossible. The formal framework of Im- 
pagliazzo and Rudich has subsequently been used to address other “implication” 
questions, such as one-way functions versus one-way permutations [26,19], one- 
way functions versus collision-resistant hash functions [27], and between key 
agreement, oblivious transfer, public-key encryption and trapdoor functions and 
permutations [9,10]. Variants of the framework have also been used to address 
the issue of the number of rounds in KA protocols [25] , of the efficiency of con- 
structions of universal one-way hash functions based on one-way permutations 
[20,8], of pseudorandom generators based on one-way permutations [8] and of 
public-key encryption based on trapdoor permutations [7]. 

The common interpretation of these results is that there are inherent limita- 
tions in using a primitive as a black box, and that these impossibility results can 
be overcome only by explicitly using the code of the primitive in the construction. 

In this paper we revisit these negative results, give a more careful taxonomy 
of the ways in which “black-box reductions” can be formalized, strengthen some 
previous results (in particular giving unconditional impossibility results for re- 




Notions of Reducibility between Cryptographic Primitives 



3 



ductions that were previously only shown to imply P ^ NP), and offer a new 
interpretation of them: in many cases, there is no limitation in using a prim- 
itive as a black box, but there is a limitation in treating adversaries as such. 
In particular, these negative results may be overcome by using the code of the 
adversary in the analysis. 

1.1 Impossibility Results for Reductions 

The starting point of the work of Impagliazzo-Rudich is the observation that 
most known cryptographic constructions based on one-way functions treat the 
one-way function as a “black box.” (Exceptions are discussed in Section 1.5.) 
Roughly speaking, a black-box (BB) reduction of a primitive Q to one-way func- 
tions (OWE) is a construction that uses oracle access to a function /, and guar- 
antees that if / is one-way then the construction is secure. In particular: 

— The construction does not use the code of the function /; 

— The construction is well defined and efficient even if / is not efficiently com- 
putable (as long as it is given as an oracle); 

— There is a proof of security that shows that an adversary breaking the pro- 
tocol yields an adversary that inverts /. 

There are various ways to formalize the third condition (which we make 
precise in Section 2. One possibility considered in [17], which we call fully-BB, is 
that there is an algorithm that converts every adversary that supposedly breaks 
the construction (according to the definition of security for Q) into a procedure 
that inverts /. This algorithm is efficient and it is given oracle access to the 
adversary and to /. In this setting, both the construction and the analysis are 
black box. Another way to look at it is that both the primitive and the adversary 
are treated as black boxes. Most reductions in the cryptography literature are 
fully-BB. 

Impagliazzo and Rudich [17] prove that there can be no fully-BB reduction of 
key agreement (KA) to OWE. Since public-key encryption, trapdoor permuta- 
tions and oblivious transfer all imply KA (by fully-BB reductions), it then follows 
that there are no fully-BB transformations of OWE into these other primitives 
as well. It is natural to ask whether the impossibility is due to the fact both the 
primitive and the adversaries are treated as oracles, or if it is enough that just 
the primitive is. 

Impagliazzo and Rudich also consider a weaker form a BB reduction of KA 
to OWE, a form that we call semi-BB in this paper. In a semi-BB reduction, 
we have a BB construction of KA based on a function / given as an oracle. The 
analysis proves that for every efficient adversary with oracle to / that breaks 
the construction, there is an efficient adversary that inverts / if given oracle 
access to /. This seems to formalize the notion of a BB construction with an 
arbitrary analysis, but we argue that it does not. If / is a one-way function in 
the black-box sense, ^ then the construction has to be secure not only against 

^ Meaning that no efficient procedure with oracle access to / can invert / on a non- 
negligible fraction of inputs. 
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efficient adversaries, but also against adversaries that have oracle access to /. A 
proof technique that makes use of the code of the adversary is not BB in this 
sense. 

Impagliazzo and Rudich prove that, if P = NP, there is no semi-BB reduc- 
tion of KA to OWF. This means that, in order to come up with a proof that 
OWF implies KA, one must either avoid semi-BB reductions or find, along the 
way, a proof that P ^ NP. Impagliazzo and Rudich prove their result by estab- 
lishing the stronger (and independently interesting) statement that if P = NP, 
then there is no secure KA in the random oracle model. (Note that a random 
oracle is one-way in the black-box sense even if P=NP.) 



1.2 The Limitations of Semi-BB Reductions 

In this paper we prove, unconditionally, that there is no semi-BB reduction of 
OWF to KA. We prove this unconditional result by embedding a PSPACE oracle 
into a small part of the random oracle used in the Impagliazzo-Rudich result, 
and use the fact that pP space _ j^pPSPACE ^ embedding technique is 
due to Simon [27]. 

Following the lead of Impagliazzo and Rudich, several other works explored 
the limitations of black-box reductions with examples being [25,27,20,8,9,10]. 
Most results ruled out fully-BB reductions unconditionally, and semi-BB reduc- 
tions if P=NP. An exception is the work of Gertner et al [10], which involves a 
model that is slightly different from the one of [17], and which only rules out 
fully-BB reductions. The embedding technique allows us to prove that semi-BB 
reductions are unconditionally impossible in all case where semi-BB reductions 
were previously ruled out conditionally. 

More generally, we show that, under mild conditions satisfied by most natural 
primitives, semi-BB reductions are equivalent to relativizing reductions (proofs 
that the implication holds relative to any oracle) . Since the above works rule out 
relativizing reductions unconditionally, we obtain unconditional impossibility of 
semi-BB reductions. 



1.3 The Power of Mildly-BB Reductions 

Semi-BB reductions have typically been considered to be BB constructions with 
arbitrary proofs, and negative results about semi-BB reductions have typically 
been interpreted as limitations for constructions that do not use the code of the 
primitive. In this paper, we present a different perspective. 

We first formalize the notion of a BB construction with an arbitrary proof, 
which we call a mildly-BB reduction. In a mildly-BB reduction of, say, KA to 
OWF, the construction refers to an oracle function, and it is secure whenever 
the oracle function is one-way in a black-box sense, but the analysis of the 
construction may be arbitrary. This means that for every oracle / and for every 
efficient adversary that breaks the KA protocol constructed from /, there is an 
efficient procedure that inverts / when given oracle access to /. The difference 
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with semi-BB is that we do not consider KA adversaries that require oracle 
access to / to be efficiently realized. 

A first observation is that if we had a provably secure KA scheme, then it 
would also be a mildly-BB reduction of OWF to KA: just let the parties ignore 
the oracle, and then the security of the construction in the real world implies 
that it is also secure as a mildly-BB reduction. 

This means that it is unrealistic to look for an unconditional proof that 
mildly-BB reductions of OWF to KA do not exist; indeed, most likely, such a 
mildly-BB reduction exists. However one can still wonder whether the only way 
to come up with a mildly-BB reduction is to “cheat” in this manner, and have 
the analysis of the construction contain the proof of a strong lower bound (so 
that the intractability comes not from the primitive used as an oracle but from 
the proof of correctness of the reduction) . 

A similar situation arises in the random oracle model studied by Impagliazzo 
and Rudich [17]: a secure KA protocol in the real world would also be secure in 
the random oracle model. 

However, Impagliazzo and Rudich show that if P = NP then there can be 
no secure construction of KA in the random oracle model. That is, the only way 
to construct a secure KA in the random oracle model is to come up with a proof 
that P ^ NP along the way. 

One might expect that, similarly to the Impagliazzo-Rudich result, if P = 
NP then there is no mildly-BB reduction of KA to OWF. Perhaps surprisingly, 
we prove that the opposite is true: if P = NP then there is a mildly-BB re- 
duction of KA to OWF. Indeed, such a reduction exists even under the weaker 
assumption that OWFs do not exist. ^ 

In other words, if KA is possible, then there is mildly-BB reduction of OWF 
to ioKA, and if OWF do not exist then there is also a mildly-BB reduction of 
OWF to KA. That is, if OWF imply KA in the logical sense (i.e., unless OWF 
exist but KA is impossible) then the implication can be proved using mildly- 
BB reductions.^ The significance of this result is that it shows that there is no 
inherent limitation (at least in KA versus OWF) in ignoring the code of the 
primitive, although there are limitations in ignoring the code of the adversary 
as well. 

We similarly show that mildly-BB reductions are as powerful as arbitrary 
reductions in transforming OWF to one-way permutations, to collision-resistant 
hash functions, to trapdoor permutations, and other primitives. 



^ Actually, the reduction only provides “infinitely-often KA” (ioKA) from one-way 
functions; see Section 4. 

^ To be precise, our result leaves out the case in which ioKA exist but KA do not 
exist. Even in such a case, it is possible to argue that for every input length, if OWF 
imply KA in the logical sense for that input length, then the implication can be 
established with a mildly-BB reduction. See Section 4.3. 
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1.4 Efficiency of Reductions 

We next turn our attention to another line of research about the limitations of 
black-box reductions, namely, the ejjiciency of reductions. The issue of efficiency 
was first raised by Rudich [25], who investigated the round complexity of KA 
schemes. Rudich proved that one cannot use a fully-BB reduction to transform 
a fc-round KA scheme into a (fc — l)-round one. Later, Kim, Simon and Tetali 
[20] considered the question of efficiency of constructions of universal one-way 
hash functions (UOWHFs) based on one-way permutations (OWPs). The known 
reduction (of [22]) is fully black box and invokes the OWP a number of times 
that is roughly linear in the compression of the UOWHF. Kim et al. [20] show 
that every fully-BB construction must invoke the OWP a number of times that 
is at least (roughly) the square root of the compression. 

Gennaro and Trevisan [8] considered again the question of reductions of 
OWPs to UOWHF, as well as the question of constructions of pseudorandom 
generators (PRGs) based on OWPs. The Blum-Micali-Yao construction [3,28, 
1 1] invokes the OWP a number of times that is roughly linear in the expansion 
of the generator. Gennaro and Trevisan proved that if OWF do not exist, then 
there is no mildly-BB transformation of OWP to PRG and no mildly-BB trans- 
formation of OWP to UOWHF where the OWP is invoked a sub-linear number 
of times (sub- linear in the expansion and in the compression, respectively) . On 
the other hand, if OWF do exist, then there are zero-query mildly-BB construc- 
tions. This means that the only way of improving current constructions, even 
with a mildly-BB reduction, is to come up with an unconditional construction 
and disregard the oracle.^ Gennaro, Gertner and Katz [7] gave similar results 
for constructions of public-key encryption and signature schemes. ® 

These results by Gennaro et al. [8,7] about the efficiency of reductions are 
the only ones that rule out even mildly-JiJi reductions. 

Regarding the efficiency of known reductions in cryptography, perhaps the 
most glaring open question is whether the construction of PRG based on OWF by 
Hastad et al. [14] can be made more efficient. It was conjectured in [8] that black- 
box transformations of OWF into PRG have to invoke the OWF a super-linear 
number of times. In this paper, we show that there is a mildly-BB construction 
of PRG based on OWF that invokes the one-way function only once. This sounds 
like a great improvement over [14] but, unfortunately, we use [14] as part of our 
construction. The idea is that if OWFs exist, then we can use [14] to obtain 
a PRG that is secure in the real world, and then it will also be a mildly-BB 

Gennaro and Trevisan also show unconditionally that there can be no fully-BB 
sublinear construction and, using our results in Section 3.2, we get an unconditional 
result for semi-BB constructions. 

® In the setting of encryption, they show the following: suppose there is a mildly-BB 
construction of a semantically secure public key cryptosystem based on trapdoor 
permutations, and such that the trapdoor permutation is used a sublinear number 
of times in the length of the message; then one-way functions exist uncondition- 
ally. Notice that one could imagine a stronger result proving that the unconditional 
existence of public-key encryption follows from the same assumption. 
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construction of PRG from OWF (which makes zero oracle queries). On the other 
hand, if OWFs do not exist, then we describe a mildly-BB construction.® How 
should we interpret such a result? It seems to say that we should not stop looking 
for more efficient constructions than the one in [14] and that, in this search, we 
may restrict ourselves to constructions that treat the one-way function as a black 
box. 



1.5 Perspective 

It should be stressed that not all reductions in the cryptographic literature are 
black box. Many of the examples are constructions that make use of the gen- 
eral construction of zero-knowledge proofs (and variants) for arbitrary NP lan- 
guages [13], as the [13] protocol makes use of the code of the algorithm that 
verifies witnesses for the NP relation. For example, when using this result to 
construct identification schemes from any one-way function [5], the identifica- 
tion scheme makes use of the code of the one-way function and thus this is not 
a black-box reduction. There are a number of other results in cryptography that 
make non-black-box use of the starting primitive in a similar fashion. Only re- 
cently, however, have we seen reductions making non-black-box use of adversary 
in the proof of security, in the exciting works of Barak [1,2]. 

Given the fact that non-black-box reductions exist in the literature, one might 
wonder how to interpret black-box reductions and impossibility results. For this, 
it is useful to consider an analogy with the role of reductions in complexity 
theory. The first motivation for introducing polynomial-time reducibilities (e.g. 
Karp reductions and Gook reductions) was to relate the existence of polynomial- 
time algorithms for various problems: if problem A reduces to problem B, then 
B G P ^ A G P. Note that here the polynomial-time algorithm for B is used 
in a black-box manner. The constructed polynomial-time algorithm for A only 
uses the H-algorithm as a subroutine and its correctness doesn’t make use of the 
fact that the B-algorithm is efficient.^ One can envision non-black-box ways of 
proving implications of the form B G P ^ A G P, and there are examples in the 
literature (one is mentioned below). Still we find reductions to be an extremely 
useful concept: 

— Reductions provide a natural way of comparing the “complexity” of problems 
(even when we believe neither problem has a polynomial-time algorithm). 
For example, SAT trivially reduces to QBF 2 (quantified boolean formulae 
with two alternating quantifiers) and it is known that QBF 2 does not (Gook- 
) reduce to SAT unless the polynomial-time hierarchy collapses. Nevertheless, 
the implication SAT G P ^ QBF 2 G P is known to hold, and indeed it 
(necessarily) makes non-black-box use of the polynomial-time algorithm for 

® There are again some technical issues abont infinitely many versns all input lengths. 
^ Note that the black-box nse of the B-algorithm is particularly acute when B is a 
promise problem, since A must work for all oracles that are correct on inputs that 
satisfy the promise, even undecidable ones. 




O. Reingold, L. Trevisan, and S. Vadhan 



SAT. Still we interpret the lack of a Cook-reduction from QBF 2 to SAT 
saying that QBF 2 as a more “complex” problem than SAT. 

— Results showing that certain reductions are unlikely to exist provide a guide 
for attempts to prove the corresponding implication. For example, it is known 
that for any A^P-complete problem L, there is no nonadaptive reduction 
from deciding L in the worst case to deciding L in the average case (with 
respect to any samplable distribution) unless the polynomial-time hierarchy 
collapses [6,4]. Thus, in future attempts to establish a worst-case/average- 
case equivalence for NP, it is natural to start by looking for adaptive reduc- 
tions. 

Both of these uses of reductions also seem relevant in cryptography. It is 
scientifically interesting to have a framework for formalizing the idea that, say, 
public-key cryptography is a “more complex” primitive than private-key cryp- 
tography (even when we believe both to exist). And results on the non-existence 
of black-box reductions help guide attempts to establish new implications. For 
example, our results highlight the significance of making non-black-box use of 
the adversary, as in [1,2], and suggest that it may enable us to overcome some 
previous barriers. We note that when using non-existence of reductions as a 
guide for future work, it is important to make the notions of reduction precise 
and carefully interpret their meaning. Indeed, these are some of the goals of the 
taxonomy and results presented in this paper. 



2 Black-Box Constructions and Analyses 

2.1 Cryptographic Primitives 

In order to define the various notions of reduction between cryptographic prim- 
itives we first need to clarify what constitutes a primitive. The definition we use 
is quite general. Still, for the sake of readability, we do not state our definitions 
and results in the most general setting possible. In particular, our notion of effi- 
ciency will be that of probabilistic polynomial-time (PPT) Turing machines and 
we assume that all parties involved in the definition of a primitive (including the 
adversaries) are efficient. Therefore, our results are stated in a way that does not 
apply to non-uniform or information-theoretic notions of security. 

Definition 2.1. A primitive V is a pair {F'p,Rp), where F-p is a set of functions 
f : {0, 1}* I— >■ {0, 1}*, and Rp is a relation over pairs (/, M) of a function f € Fp 
and a machine M. The set Fp is required to contain at least one function which 
is computable by a PPT machine. 

A function f : {0, 1}* 1 — {0, 1}* implements V or is an implementation 
of P if f & Fp . An efficient implementation of P is an implementation of 
P which is computable by a PPT machine. A machine M P-breaks / G Fp 
if {f,M) G Rp. A secure implementation of P is an implementation of P 
such that no PPT machine P -breaks f . The primitive P exists if there exists 
an efficient and secure implementation ofP. 
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Let us elaborate on the semantics of the above definition. It is natu- 
ral that an implementation of a primitive can be represented as a function 
/ : {0, 1}* !->■ {0, 1}*. For example, in the case of one-way function, / is simply 
the one-way function itself. In the case of encryption schemes, / represents three 
functions: the key generation, the encryption and the decryption functions. In 
the case of key-agreement and protocols in general, / represents the message 
function (the function that determines the message a party should send given its 
inputs, its coin tosses, and the previous messages). The set F-p in the definition 
of a primitive V captures various structural requirements for an implementa- 
tion of V. For example, in the case of one-way permutations we require that an 
implementation / will be a length-preserving permutation. The set Fp also cap- 
tures correctness requirements (when they are separated from the security of the 
primitive). For example, for encryption schemes, we require that the decryption 
of an encryption of a plaintext m will recover m. For key agreement, we require 
that the two honest parties output the same key. The structural and correctness 
requirements of a primitive are usually easy to obtain when we do not insist on 
security. Therefore, it is not very restrictive to require the set Fp to contain at 
least one efficiently computable function. Finally, the security requirement of a 
primitive is specified through the definition of breaking an implementation of 
this primitive. This is captured by the relation Rp. For example, for one-way 
functions, we would define (/, M) G Rp if there is a polynomial p such that 
Pr[M(/([/„)) G f~^{f{Un))] > ^/p{n) for infinitely many n. Sometimes, we will 
need to work with “infinitely often” (io) analogues of primitives, where the se- 
curity is only required to hold for infinitely many input lengths, i.e. to “break” 
the primitive, an adversary must succeed on all but finitely many input lengths. 
For example, if V is the primitive ioOWF, then we would define (/, M) G Rp if 
there is a polynomial p such that Pr[M(/([/„)) G > l/p(n) for all 

but finitely many n. 

We will also need to define the existence of a primitive relative to an oracle. 

Definition 2.2. A primitive V exists relative to an oracle U if there exists 
an implementation f of V which is computable by a PPT oracle machine with 
access to FI and such that no PPT oracle machine with access to II V-breaks f. 

2.2 Notions of Reducibility 

A reduction from a primitive V to & primitive Q means that the existence of Q 
implies the existence of P. In other words, it means that either V exists or Q does 
not exist. Reductions in the literature usually entail much more than that. For 
example, a reduction from V to Q usually gives a constructive way of obtaining 
a secure and efficient implementation of V from one of Q. We now define various 
such types of more restricted and structured reductions. For comparison we refer 
to an arbitrary reduction as a free reduction. 

The most restricted form of reduction considered in this paper is what we call 
a fully black-box (BB) reduction, where the construction and analysis (showing 
that the construction produces a secure implementation of V given a secure 
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implementation of Q) are both BB. Most, but not all, reductions in the literature 
are fully BB. 

Definition 2.3. There exists a fully-BB reduction from a primitive V = 
{F-p^R-p) to a primitive Q = {Fq,Rq), if there exist PPT oracle machines G 
and S such that: 

Correctness. For every implementation f G Fq we have that G Fp. 
Security. For every implementation f G Fq and every machine A, if A V- 
breaks G^ then Q-breaks f. 

The next, less restricted, notion of reduction is a reduction that works even 
if all parties get an oracle access to an arbitrary, possibly inefficient implemen- 
tation of Q. 

Definition 2.4. There exists a semi-BB reduction from a primitive V = 
(Fp,Rp) to a primitive Q = (Fq,Rq) if there exists a PPT oracle machine G 
such that: 

Correctness. For every implementation f G Fq we have that G^ G Fp. 
Security. For every implementation f G Fq, if there exists a PPT oracle ma- 
chine A such that A^ V-breaks G^ , then there exists a PPT oracle machine 
S such that Q-breaks f . 

It is tempting to view a semi-BB reduction as a BB-construction with an 
arbitrary analysis, since only / is treated as a black box. However, as we try to 
argue in Section 3, the analysis in semi-BB reduction is still very much black box. 
In essence, this is due to the oracle access that A gets to (the computationally 
unbounded) /. Since / may be the heart of the adversary A^ that breaks P, 
the access S has to this adversary is in large part black box. Following is our 
attempt to formalize what we view as a BB construction with arbitrary analysis. 

Definition 2.5. There exists a mildly-BB reduction from a primitive V = 
(Fp,Rp) to a primitive Q = (Fq,Rq) if there exists a PPT oracle machine G 
such that: 

Correctness. For every implementation f G Fq we have that G^ G Fp. 
Security. For every implementation f G Fq, if there exists a PPT machine A 
that V-breaks G^ , then there exists a PPT oracle machine S such that 
Q-breaks f . 

Remark 2. 6. A definition that might also capture the intuition “a BB construc- 
tion with arbitrary analysis” is one where S is also denied access to /. For 
the sake of this discussion, let us refer to such reductions as mildly '-BB. One 
problematic aspect of mildly '-BB reductions is that not only such reductions 
are more restricted that mildly-BB they even seem incomparable to fully-BB 
reductions. In particular, for many fundamental BB-reductions known in cryp- 
tography, it is not clear if the corresponding implications can also be proven via 
mildly '-BB reductions. 
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Fig. 1. Simple relations between notions of reduction. An arrow goes from a more 
restricted form of reduction to a less restricted one. 



Related to BB-reductions are relativizing reductions, which turn out very 
useful in the context of BB separations. 

Definition 2.7. There exists a relativizing reduction from a primitive V = 
(F-p, R-p) to a primitive Q = {Fq, Rq), if for every oracle U, if Q exists relative 
to n then so does V. 

Finally, we consider two additional notions of reductions that are obtained 
from semi and weak BB reductions by a switch of quantifiers. Previously we 
asked for a “universal” procedure G that reduces all secure implementations / 
of Q to secure implementations of V. But this may not be necessary if we 
are only trying to show that V reduces to Q. In the following definitions we are 
satisfied with the existence of a (possibly different) G for every / (hence the 
name V3). 

Definition 2.8. There exists a V3semi-BB reduction from a primitive V = 
(Fp,Rp) to a primitive Q = (Fq,Rq) if for every implementation f € Fq, 
there exists a PPT oracle machine G such that: 

Correctness. G^ G Fp. 

Security. If there exists a PPT oracle machine A such that V-hreaks G^ , 
then there exists a PPT oracle machines S such that Q-breaks f . 

Definition 2.9. There exists a V3mildly-BB reduction from a primitive V = 
{Fp, Rp) to a primitive Q = {Fq, Rq) if for every implementation f G Fq, there 
exists a PPT oracle machine G such that: 

Correctness. G^ G Fp. 

Security. If there exists a PPT machine A that V-hreaks G^ , then there exists 
a PPT oracle machine S such that Q-breaks f . 

Some simple relations between the various notions of reductions are given by 
the following lemma (and are illustrated in Figure 1). 
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Lemma 2.10. For any two primitives V and Q, we have the following: 

1. If there exists a fully-BB reduction from V to Q then there exists a semi-BB 
reduction from V to Q as well. 

2. If there exists a semi-BB reduction from V to Q then there exists a mildly-BB 
reduction from V to Q as well. 

3. If there exists a semi-BB reduction from V to Q then there exists a V3semz- 
BB reduction from V to Q as well. 

4-. If there exists a mildly-BB reduction from V to Q then there exists a 
\/3mildly-BB reduction from V to Q as well. 

5. If there exists a \/3semi-BB reduction from V to Q then there exists a 
\/3mildly-BB reduction from V to Q as well. 

6. If there exists a \/3mildly-BB reduction from V to Q then there exists a free 
reduction from V to Q as well. 

1. If there exists a fully-BB reduction from V to Q then there exists a relativiz- 
ing reduction from V to Q as well. 

8. If there exists a relativizing reduction from V to Q then there exists a\/3semi- 
BB reduction from V to Q as well. 

All relations follows quite easility from the definitions. We omit a complete 
proof in this extended abstract. 



3 Semi-BB versus Relativization 

The study of BB separations in cryptography started with the seminal work 
of Impagliazzo and Rudich [17]. Previously it was known that the existence 
of many cryptographic primitives, such as various private-key primitives and 
digital signatures, reduces to the existence of one-way functions (OWF), which 
in turn are essentially necessary for all computational aspects of security in 
Cryptography. Other primitives however such as key-agreement (KA), and thus 
also various fundamental primitives that imply KA, resisted attempts to be 
reduced to OWF. Noting that almost all reductions in cryptography are black 
box, [17] turned to showing that such reductions are simply not sufficiently 
powerful to reduce KA to OWF or even to one way permutations (OWP). 

Theorem 3.1 ([17]). There is no relativizing reduction from KA to OWP. 

An immediate consequence of Theorem 3.1 is that there is no fully-BB reduc- 
tion from KA to OWP. At the core of the proof of Theorem 3.1 stands a lemma 
which states that, relative to a random (permutation) oracle (which is in some 
sense a “perfect OWP”), there are no KA unless P yf NP. In particular, con- 
structing KA in the random-oracle model is at least as hard as proving P yf NP. 
In addition, [17] pointed that this lemma “rules out” even less restrictive forms 
of BB reductions from KA to OWP. Using the taxonomy of this paper, we can 
state the results of [17] with respect to BB reductions as follows. 
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Theorem 3.2 ([17]). There is no fully-BB reduction from key-agreement to 
one-way permutations. Furthermore, there is no \/3semi-BB reduction from KA 
to OWP unless P ^ NP. 

In this section we prove an unconditional version of Theorem 3.2. We gen- 
eralize this by showing that “usually” V3semi-BB reductions are equivalent to 
relativizing reductions. This implies unconditional proofs of various results that 
were previously only known to hold conditionally. Finally, based on the new 
equivalence between reduction types, we reinterpret the notion of semi-BB re- 
ductions. 

3.1 Impagliazzo-Rudich Revisited 

Based on Theorem 3.1 and using an “embedding technique” due to Simon [27], 
we are able to strengthen Theorem 3.2 as follows. 

Theorem 3.3. There is no \/3semi-BB reduction from KA to OWP. 

Proof. Theorem 3.1 implies that there exists an oracle II : {0,1}* i— >■ {0,1} such 
that relative to 77, OWP exists and KA does not. Let /' be the secure and 
efficient OWP which exist relative to 77. We define a permutation / such that 
(1) / is computable by a PPT oracle machine with access to 77, (2) / is one-way 
relative to 77, and (3) There exists a PPT oracle machine with access to / that 
evaluates 77. Let us first assume that such an / exist and see how it implies the 
theorem. 

Properties (1) and (2) of / imply that / is one-way relative to itself (since 
an oracle machine that OWP-breaks / relative to / can be efficiently simulated 
relative to 77). Properties (1) and (3) of / imply that there is no KA relative to /. 
This is because an efficient implementation of KA relative to / is also an efficient 
implementation of KA relative to 77 which implies that it can be broken relative 
to 77 and thus also relative to /. Now assume for the sake of contradiction that 
there exist a V3semi-BB reduction from KA to OWP. Let G be the PPT oracle 
machine which corresponds to / as guaranteed by the definition of V3semi-BB 
reduction. From the definition of G, it follows that G^ is a secure KA relative to 
/. Now, if there exists a V3semi-BB reduction from KA to OWP, then we deduce 
that there exists a PPT oracle machine S s.t. inverts /. But this contradicts 
the fact that / is one-way relative to itself. 

It remains to define / with the desired properties. Intuitively 77 is “em- 
bedded” into a small part of / and on the rest of the inputs, / evaluates /'. 
On a, 2n 3- 1-bit long input (r, x, a) where r and x are n-bit long each and cr 
is a bit, the function / is defined as follows: If r is the all-zero string then 
f{r, X, a) = (r, x,II{x) © cr). Otherwise, /(r, x, a) = (r, f'(x),a). (The definition 
can be naturally extended to even-length inputs.) That f is a permutation fol- 
lows trivially from f being a permutation. Property (2) (the one-wayness of / 
relative to 77) is also easy as on all but a negligible fraction of its inputs (those 
with r being the all-zero string), inverting / on a random input is equivalent to 
inverting f on a random input. Finally, properties (1) and (3) follows immedi- 
ately from the definition. □ 
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Fig. 2. In addition to the simple relations already shown in Figure 1, the dashed arrow 
indicates that “usually” relativizing reduction are equivalent to V3semi-BB reduction. 



3.2 The General Condition for Equivalence 

The equivalence between the existence of a relativizing reduction and a V3semi- 
BB reduction, is not limited to the reduction from KA to OWP. In fact, es- 
sentially the same argument was used by Simon [27] regarding reductions of 
collision-resistant hash functions to OWP. In general, the two notions of reduc- 
tion are equivalent for showing a reduction from a primitive V to & primitive 
Q, if it is possible to “embed” an arbitrary oracle into Q as in the proof of 
Theorem 3.3. 

Definition 3.4. We say that a primitive Q = {Fq, Rq) allows embedding if for 
any oracle II : {0, 1}* i— >■ {0, 1} and any f G Fq that can he computed by a PPT 
oracle machine with access to 77, there exists f G Fq such that the following 
hold: 

1. f is computable by a PPT oracle machine with access to 77,. 

2. If there exists a PPT oracle machine that Q-breaks f then there exists 

a PPT oracle machine that Q-breaks f. 

3. There exists a PPT oracle machine with access to f that evaluates 77. 

The following equivalence is proven in exactly the same way as Theorem 3.3. 



Theorem 3.5. Let V = {F'p,R-p) be any primitive and Q = {Fq,Rq) be any 
primitive that allows embedding. Then there exist a relativizing reduction from 
V to Q if and only if there exist a \/3semi-BB reduction from V to Q. 

It seems hard to find a natural primitive that does not allow embedding. In 
fact, the case of OWP is relatively difficult compared to other primitives (because 
of the need to preserve the permutation property) . Therefore, we can informally 
say that “usually” the above equivalence holds (see Figure 2 for an updated 
picture which takes this “equivalence” into account). The embedding technique 
allows us to prove that V3semi-BB reductions are unconditionally impossible in 
all case where V3semi-BB reductions were previously only conditionally ruled 




Notions of Reducibility between Cryptographic Primitives 



15 



out. Two examples are [25] on reducing the number of rounds in KA and [9] 
on the relationships among KA, oblivious transfer, public-key encryptions, and 
trapdoor functions and permutations. In fact, this also holds for the results of 
[8,7] regarding the efficiency of known constructions. In this setting however, 
it is important to take into account the efficiency of the embedding technique 
itself. Usually however the embedding is extremely efficient. For example, in the 
definition of / above evaluating it requires a single oracle query (either to f' or 
to 77) and similarly evaluating 77 requires a single oracle call to /. 



3.3 Discussion 

It is typical to view semi-BB reductions and certainly V3semi-BB as a BB- 
construction with arbitrary analysis. However, we feel that the equivalence to 
relativizing reductions and specifically the embedding technique demonstrate 
that the analysis in semi-BB reduction is still very much black box. Recall that 
in a semi-BB reduction from V to Q, we only consider polynomial time machines 
A such A-f 7^-breaks and the requirement is that if such a machine A exists 
then there also exists an efficient S such that Q-breaks /. This looks less 
BB than the analysis in fully-BB reductions since S does not get oracle access 
to A but rather only to / and since we only consider efficient machines A. The 
reason that this analysis is still very much BB is that the adversary for V is A^ 
(which may be very inefficient) rather than A. In particular, the reduction does 
not have access to a small description of this 

adversary (let alone a small circuit that evaluates it). What the embedding 
technique demonstrates is that often / can be the major part of the adversary 
A^ , and thus S's access to the adversary is really black box. 

4 Mildly-BB versus Arbitrary Reductions 

In this section we show various settings for which mildly-BB reductions exist 
iff free (arbitrary) reductions exist (this is illustrated in Figure 3). In other 
words, in some settings mildly-BB are as powerful as free reductions. We could 
therefore concentrate on finding such reductions which treat the primitive as a 
black box. These results also indicate that it is unlikely that we could strengthen 
some previous BB separations that previously ruled out semi-BB reductions so 
that they also rule out mildly-BB reductions in the same settings. 

4.1 Mildly-BB Reductions from KA to OWF 

We now show that if the statement “the existence of OWF implies the existence 
of ioKA” is true then it can be proved via a mildly-BB construction of KA 
based on OWF. We note that this means that it is unlikely that we could rule 
out a mildly-BB reduction from ioKA to OWF whereas [17] and Theorem 3.3 
rule out such semi-BB reductions. The equivalence between free reductions and 
mildly-BB reductions in this context follows from the next two lemmas. 
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Fig. 3. In addition to the picture given by Figure 2, the dotted arrow indicates that in 
some interesting cases mildly-BB reductions are equivalent to free (arbitrary) reduc- 
tions. 

Lemma 4.1. Suppose that ioKA exists. Then there is a mildly-BB reduction 
from ioKA to OWF. 

Proof. The efficient oracle machine G needed by the definition of mildly-BB 
reductions simply ignores the oracle / and evaluates from scratch the ioKA 
which we assume to exist. The reduction is secure as there is no PPTM A that 
ioKA-breaks . □ 



Lemma 4.2. Suppose that OWF do not exist. Then there is a mildly-BB reduc- 
tion from ioKA to OWF. 

Proof (Sketch). Consider the following construction: given security parameter n 
and oracle / 

— Alice picks at random x,r G {0, 1}”, and sends x, r to Bob. 

— Alice and Bob agree on the bit f{x) ■ r. 

The protocol does not make much sense in the “real world,” but the reader 
should be reminded that the protocol is only meant to work in case OWFs do 
not exist, a case in which no KA protocol can exist in the real world. 

To prove the Lemma, we will show that if / is a black-box one-way function, 
then the protocol cannot be broken by an efficient adversary. Intuitively, the 
reason is that if / is a black-box one-way function, and OWFs do not exist, then 
/ must be a function that cannot be computed efficiently. Using Goldreich-Levin, 
we can then infer that f{x) ■ r is hard to predict. 

To formalize the above sketch, we need to show that if there is an efficient 
algorithm that agrees with a function / on an noticeable fraction of inputs, and 
if one-way functions do not exist, then there is an efficient algorithm that inverts 
/ on a noticeable fraction of inputs. This is somewhat more complicated than 
it sounds and, in particular, we will need to use a result by Impagliazzo and 
Luby [16], who show that if one-way functions do not exist and g is an efficiently 
computable function, then, roughly speaking, given g{x) it is possisble to sample 
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approximately uniformly from the set {x' : g{x') = g(a;)}. We refer the reader 
to the full version of this paper for the complete proof. □ 

From the above two lemmas, we conclude that mildly-BB reductions are as 
powerful as free reductions for this problem: 

Theorem 4.3. There is mildly-BB reduction from ioKA to OWF if and only if 
there is a free reduction from ioKA to OWF. 

Next we state a similar result for reducing trapdoor permutations to OWF. 
We omit the proof in this extended abstract. 

Theorem 4.4. There is a mildly-BB reduction of io-trapdoor permutations to 
one-way functions if and only if there is a free reduction of io-trapdoor permu- 
tations to one-way functions. 



4.2 A Mildly-BB Construction More Efficient than HILL 

As mentioned in the introduction, a long-standing open question is to reduce 
or explain the inefficiency of the construction of pseudorandom generators from 
general one-way functions [14]. The construction of [14] is a fully black-box re- 
duction that seems to require polynomially many queries to the one-way function 
even to obtain a pseudorandom generator that stretches by one bit (in contrast 
to the construction of pseudorandom generators from one-way permutations [3, 
28,11], which requires only one query to stretch by one bit). 

Theorem 4.5. There is a mildly-BB construction of ioPRGs from OWFs that 
makes only one query. 

Thus to show that the inefficiency of [14] is inherent, one must consider more 
constrained reductions than mildly-BB reductions. In particular, one cannot 
directly use the approach of [8], which gives lower bounds on the efficiency of 
mildly-BB reductions. Alternatively, this theorem says that, in attempting to 
improve the efficiency of [14], there is no loss in treating the OWF as a black 
box. 

Lemma 4.6. Suppose that OWF exist. Then there is a mildly-BB construction 
of ioPRG based on OWF, where the construction makes zero oracle queries. 



Lemma 4.7. Suppose that OWF do not exist. Then there is a mildly-BB con- 
struction of ioPRG based on OWF, where the construction makes one oracle 
query. 

Proof (sketch). The construction is G^{x,r) = (x,r,f{x) ■ r), for |a;| = |r|. 
The proof that this is a mildly-BB construction is analogous to the proof of 
Lemma 4.2. 
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4.3 All Input Lengths versus Infinitely Often 

In this section we described various mildly-BB constructions based on OWF, and 
in each case we are only able to construct the primitive on infinitely many input 
lengths. We briefiy discuss why it is the case, focusing on the construction of 
KA from OWF for concreteness. We have two cases: if KA is possible in the real 
world, then we have a trivial mildly-BB construction that ignores the oracle. 
If OWF do not exist, then we give a construction such that, on each input 
lenght, the construction is correct provided that every efficient function with 
related input lenght can be efficiently inverted. Unfortunately, the non-existence 
of OWF only gives us inverters that work infinitely often. From such an inverter 
we can only prove that the mildly-BB construction is correct infinitely often. 

Note that, however, we are showing something more: roughly speaking, on 
any input length for which either KA is possible or OWF do not exist (that is, 
on any input length for which there is a free reduction from OWF to KA) we 
are able to give a mildly-BB construction of KA based on OWF. 

A similar technical problem arises in a paper by Impagliazzo and Levin [18], 
where the authors prove that a certain strong form of learning (that they call 
“universal extrapolation”) is possible if and only if one-way functions do not 
exist. Technically, the authors only prove that, on any input length, if OWF 
do not exist then universal extrapolation is possible, and if OWF exist then 
universal extrapolation is impossible. As the authors put it, “any given level of 
technology is capable of either universal extrapolation or cryptography, but not 
both.” 
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Abstract. The goals of this paper are two-fold. First we introduce and 
motivate a generalization of the fundamental concept of the indistin- 
guishability of two systems, called indifferentiability. This immediately 
leads to a generalization of the related notion of reducibility of one system 
to another. In contrast to the conventional notion of indistinguishabil- 
ity, indifferentiability is applicable in settings where a possible adversary 
is assumed to have access to additional information about the internal 
state of the involved systems, for instance the public parameter selecting 
a member from a family of hash functions. 

Second, we state an easily verifiable criterion for a system U not to 
be reducible (according to our generalized definition) to another system 
V and, as an application, prove that a random oracle is not reducible 
to a weaker primitive, called asynchronous beacon, and also that an 
asynchronous beacon is not reducible to a finite-length random string. 
Each of these irreducibility results alone implies the main theorem of 
Canetti, Goldreich, and Halevi stating that there exist cryptosystems 
that are secure in the random oracle model but for which replacing the 
random oracle by any implementation leads to an insecure cryptosystem. 



1 Introduction 

1.1 Motivation: Cryptographic Security Proofs 

The following generic methodology is often applied in cryptographic security 
proofs. To prove the security of a cryptosystem C(-) with access^ to a (real) 
component system S, denoted C(5), one first proves that the system C(T) is 
secure for some idealized component system T. Second, one proves the following 
general relation between S and T: For any cryptosystem C(-), the security of 
C{T) is not affected if T is replaced by S. Let us consider two examples. 

* This research was supported by SNF Project No. 20-66716.01. 

^ The notation C(-) means that C takes as an argument (or is connected to) a system 
that replies to queries by C. 
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Example 1. Let T be a source of truly random bits (secret for two communicat- 
ing parties A and B) and let 5 be a pseudo-random bit generator (with secret key 
shared by A and B). If C(-) denotes XOR-based encryption (i.e., C(T) denotes 
the one-time pad and C{S) denotes an additive stream cipher with key-stream 
generator 5), then the security of C{S) follows from the security of C(T) and 
the fact that, for any efficient distinguisher (or adversary), S behaves essentially 
like T, i.e., S and T are (computationally) indistinguishable. 

Example 2. Let T be a random oracle TZ, (i.e., a publicly accessible random func- 
tion) and let 5 be a hash function T~L{T), where 'H is a hash algorithm depending 
on a public parameter T (selecting one function from a class of functions). In 
contrast to pseudo-randomness (where the parameter is secret), no hash func- 
tion can implement a random oracle in the above sense, as proved by Canetti, 
Goldreich, and Halevi [6]. In other words, there exists a cryptosystem C(-) such 
that C{TV) is secure while C{'H{IF)) is insecure for any hash algorithm TL. 

It is important to note that the formalization of this second example is more 
involved than the first. Obviously, a random oracle is easily distinguishable from 
a hash function if one knows its program and the public parameter, but this fact 
does not prove the above mentioned claim that a random oracle can generally 
not be replaced by a hash function. What then is needed to prove this claim 
and, more generally, similar impossibility results? It is the purpose of this paper 
to formalize this problem and to provide the answer. 

1.2 Random Oracles, Beacons, and Other Systems 

In this paper, we will be concerned with the following general question: For 
given systems S and T, can T be replaced by S in the above sense? A natural 
extension of this question is whether a system 14 can be reduced to a system V, 
i.e., whether there exists an efficient algorithm B such that U can be replaced 
by ,B(V) (in the above sense). 

One example of such a system that we will consider more closely is the 
random oracle. Its importance in cryptography is due to the so called random 
oracle methodology where the security of a cryptosystem is proven under the 
assumption that a common randomly chosen function (the random oracle) is 
accessible by each party. This fact is then used as evidence for the security 
of the corresponding (real) cryptosystem where the random oracle is replaced 
by a hash function. The methodology was first made explicit by Bellare and 
Rogaway [2] and has been used in many papers (e.g. [8,9,17,13,2,11,3,16]). 

A (binary) random oracle TZ can be seen as an infinite sequence Ri, R 2 , ■ ■ ■ 
of public random bits where any arbitrary bit R^ can be accessed in one compu- 
tational step. One can also think of weaker primitives where the cost to access 
the randomness is higher. In particular, we introduce a primitive, called (binary) 
asynchronous beacon‘d Q, defined as a sequence of random bits R\,R 2 , ■ ■ ■ which 

^ The term “beacon”, due to Rabin, is used here only in the sense described. In par- 
ticular, the fact that for Rabin’s beacons the randomness is available simultaneously 




Indifferentiability, Impossibility Results on Reductions 23 

can only be read sequentially, i.e., the time needed to access Rx is linear in x. A 
natural question is whether one can implement a random oracle using an asyn- 
chronous beacon, i.e., whether there is an efficient algorithm B such that B{Q) 
behaves like TZ. (Note that for each input, B could make polynomially many 
queries to Q before generating the output.) 

An even weaker primitive is a, finite random string T, i.e., a finite sequence of 
bits i?i, . . . , (e.g., accessible in constant time). One could also consider other 

systems between a finite random string, an asynchronous beacon, and a random 
oracle, for which the random bits might be accessible faster than sequentially 
but not in an arbitrary (random access) manner, or where the distribution of the 
random bits is not uniform. In a sense, a random oracle and a finite random string 
are two extreme points on a scale, and an asynchronous beacon is somewhere in 
the middle. 

For any two such systems U and V one can still ask the question whether U 
can be implemented using V. This paper formalizes and solves this problem. We 
show that, loosely speaking, the answer to this question is characterized by the 
rates at which entropy can be accessed in the systems U and V. As special cases 
one sees that a random oracle cannot be implemented using an asynchronous 
beacon, and a beacon cannot be implemented using a finite random string. This 
also proves the main result of [6] as a simple consequence of the fact that a 
random oracle TZ contains substantially more entropy than a finite random string 
T, in a manner to be made precise. 



1.3 Indistinguishability and Indifferentiability 

Informally, two systems S and R are said to be indistinguishable if no (efficient) 
algorithm T>{-), connected to either S or T, is able to decide whether it is inter- 
acting with S or T. As mentioned above, the security of a cryptosystem C{S) 
involving a component S is typically proven by considering the cryptosystem 
CfiT) obtained from C{S) where the component S is replaced by an idealized 
component T. The original system C(S) is secure if (a) the system C(T) is se- 
cure, and (b) the component S is indistinguishable from R (cf. Example 1). 

The notion of reducibility is directly based on indistinguishability. A system 
IT is said to be reducible to V if the system V can be used to construct a new 
system B(V) which is indistinguishable from U. Again, reducibility is useful for 
cryptographic security proofs: If IT is reducible to V, then, for any cryptosystem 
C(IT) using IT as a component, there is another cryptosystem based on V, namely 
C{B(y)), having the same functionality and, in particular, providing the same 
security as C{IT). 

However, these considerations are all subject to the assumption that the party 
using such a component has exclusive access to it, i.e., that all other parties, in- 
cluding a possible adversary, are unable to directly influence the component’s 



to all parties, and that future beacon outputs remain secret until released, is not of 
relevance here. 
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behavior or obtain any information about its randomness. As described in Ex- 
ample 2, this is not the case for many components. Indeed, while for each party 
the output of a random oracle TZ is indistinguishable from the output of a local 
random function TZ^°^, the security of a cryptosystem based on TZ^°^ (where, e.g., 
the randomness is used for a randomized encryption) might obviously be lost 
when replacing this component by TZ. 

In order to extend the definition of indistinguishability such as to include this 
type of systems, we will propose a new concept of indistinguishability, called in- 
dijjerentiability. Together with its derived notion of reducibility, it will allow for 
exactly the same general statements about the security of cryptosystems as the 
conventional definitions. In particular, this means that, first, if a component S is 
indifferentiable from T, then the security of any cryptosystem C(T) based on 'T is 
not affected when replacing 'T by S. Second, differentiability of S from 'T implies 
the existence of a cryptosystem C(-) for which this replacement of components is 
not possible, i.e., C(T) is secure but becomes insecure if T is substituted by S. 
Thus, similar to conventional indistinguishability, indifferentiability is the weak- 
est possible property allowing for security proofs of the generic type described 
above, but it applies to more general settings. 

1.4 Organization of the Paper 

In Section 2, we give a straightforward proof of the classical separation result 
in [6] that a random oracle cannot be realized by a (family of) hash functions. 
While this separation result also follows directly from our general results derived 
in the subsequent sections, we think that starting with a self-contained proof of 
this (well-known) example will help the reader to understand the motivation for 
the definitions and to follow the rest of the paper. Section 4 and Section 5 are 
concerned with the generalization of the concept of indistinguishability, called 
indifferentiability, and the corresponding generalization of reducibility, respec- 
tively. These notions are then applied in Section 6 to state and prove a general 
irreducibility criterion, which is used in Section 7 to derive separation results for 
finite random strings, beacons, and random oracles. 

2 A Motivating Example: A Simple Proof of the 
Impossibility of Implementing a Random Oracle 

The following proposition directly implies the separation result as formulated 
in [6] . Its original proof is quite involved as it is based on techniques like Micali’s 
CS-proofs [11]. Very recently, the same authors [7] showed that their result ex- 
tends to signature schemes for only short messages. Other similar impossibility 
results are proposed in [12] and [1]. 

Proposition 1. There exists a signature scheme C{-) (consisting of a key-gener- 
ating, a signing, and a verification algorithm) with access to either a random 
oracle TZ or an implementation thereof such that the following holds (with respect 
to some security parameter k): 
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— C{TZ) is secure, i.e., the probability that an attacker against C{TZ) is successful 
is negligible in kf' 

— There is an adversary breaking C{f) for any arbitrary efficiently computable 
function f. In particular, C{TL{T)) is insecure for any hash function TL with 
public parameter T . 

— C(-) is efficient (i.e., the running time of the algorithms is polynomially 
bounded in the size of their input and the security parameter k). 

Proof. The proof consists of two parts. First, we construct C(-) based on a dis- 
tinguishing algorithm T>{-) which has the property that the behavior of 'D(TZ) is 
different from !?(/). Second, we give a construction for T>{-) and prove that it 
has all the desired properties. 

Let us thus assume that T>{-) is an algorithm taking as input a bitstring m 
(together with a security parameter k) and generating a binary output such that 
the following holds: 

(a) The probability (over the randomness of TZ) that there exists an input caus- 
ing 'D{TZ) to output 1 is negligible in k. 

(b) For any efficiently computable function /, there exists an input m causing 
2?(/) to output 1. Moreover, m is easily computable given an algorithm for 
efficiently computing /. 

(c) Pf) is efficient (i.e., its running time is polynomially bounded by the size 
of its input m and the security parameter k) . 

Let C(-) be an efficient signature scheme which is secure when accessing a 
random oracle. The signature scheme C(-) is then constructed by modifying the 
signing algorithm of C(-) as follows: On input m, it first calls P(-) for input m. 
If V{-) outputs 0, m is signed as usual (i.e., by calling the signing algorithm 
of C{-)). Otherwise, it behaves completely insecurely (e.g., by revealing a secret 
key). 

It is easy to see that C(-) satisfies the requirements of the proposition: The 
security of C (7Z) follows directly from property (a) . Furthermore, property (b) 
implies that there is an input m (efficiently computable by an adversary) causing 
C(f) to behave completely insecurely. Finally, the efficiency of C(-) follows from 
the efficiency of V(-) (property (c)) and the efficiency of C(-). 

It remains to be proven that an algorithm P(-) with the desired properties 
(a) to (c) indeed exists. We give an explicit construction for T>(-) and then show 
that properties (a) to (c) are satisfied. For the following, assume without loss of 
generality that the random oracle 7Z is binary, i.e., its outputs are single bits. 



Construction of T> T>(-) interprets its input m as a pair (tt, t) consisting of an 
encoding of a program tt for a universal Turing machine and a unary encoding 
of some integer t (i.e., t < \m\). Let q = 2 \tt\ + k (where |7 t| is the length of 
the encoding of tt). For inputs x = 1, . . . ,q, V{-) simulates at most t steps of 

® A function / : fc i— >■ f{k) is negligible in k if f{k) decreases faster than the inverse of 
any polynomial in k. 
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the program tt, resulting in outcomes 7r(l), . . . ,Tr{q).^ Similarly, T>{-) sends the 
queries x = 1, . . . ,q to the component it is connected to {TZ or /), resulting in 
answers a(l), . . . ,a{q). If 7r(a;) = a{x) for all a; = 1, . . . ,q, T>{-) outputs 1, and 
0 otherwise. 

T> satisfies property (a). For any fixed program tt, let be the probability 
(over the randomness of TV) that for an input m encoding tt, T>{TZ) outputs 1. 
By construction, this happens if and only if 7t(x) = a(x) for all x = 1, . . . , q. 
Since, for each x, the random output a(x) (of the binary random oracle 7Z) is 
equal to the output 7r(a:) (of the fixed program tt) with probability at most 1/2, 
we have < 2~‘^ = Hence, the probability pi of the event that there 

exists a program tt of length I such that V{TZ) outputs 1 is bounded by 

Pi < • 

7tG{0.1}‘ 

Finally, the probability p that there exists a program tt of arbitrary length caus- 
ing V{'R,) to output 1 is bounded by 

<50 <50 

1=1 1=1 



T> satisfies property (b). Let tt be an arbitrary program that efficiently com- 
putes /, and let t be the maximum running time of tt for all inputs y G {1, • ■ ■ ,q} 
where q = 2|7t| -|- fc. By construction, the values tt{x) computed by T>{f) on input 
m := (7r,t) satisfy tt{x) = f{x). Consequently, the equalities tt{x) = a{x) tested 
by T>{f) hold for all values x = 1, . . . ,q, causing V{f) to output 1. Note that 
the maximum running time t can be determined efficiently given the program tt 
(since tt is efficient). The input m is thus efficiently computable from tt. 



T> satisfies property (c). The running time of T>{TZ) is essentially given by 
the time needed to compute the q = 2|7t| -|- k values 7r(l),... ,Tr{q). For the 
computation of each of these values, the program tt is executed for at most 
t steps. Since |7 t| as well as the number t are both bounded by the size of 
m (recall that t is unary encoded in to), the running time of ’D(TZ) satisfies 
<9((2|7t| -I- A:) • t) < <9 ((|to| -I- / c)^). □ 

3 Basic Definitions and Notation 

3.1 Interacting Systems 

For the representation of (cryptographic) systems, we will basically adapt the 
terminology introduced in [10]. A {X ,y)-system is a sequence of conditional 

If the program tt does not generate an outpnt after t steps, Tr{i) is set to some dnmmy 
value. 
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probability distributions {i G N) with := [Xi,... ,Xi] and 

:= [Yi,... where Xi, called the ith input, and Yi, the ith output, 

are random variables with range X and 3^, respectively. Intuitively speaking, a 
system is defined by the probability distribution of each output Yi conditioned 
on all previous inputs X* and outputs If each output Yi of S only depends 

on the actual input Xi, and possibly some randomness, then S is called a random 
function. For instance, a system S might be specified by an algorithm, where, 
for each input, the output is computed according to a given sequence of instruc- 
tions. For convenience, we will assume that the systems’ inputs and outputs are 
natural numbers, or, equivalently, their representation as finite bitstrings. 

A configuration of systems is a set of systems where the systems’ interfaces are 
pairwise connected. Any configuration of systems can be seen as a new system. 
For instance, let 5 be a system with two interfaces and let T be a system whose 
interface is connected to the first interface of S. The resulting system, denoted 
as S{T), has one interface corresponding to the second (free) interface of 5 as 
shown in Fig. 1(a). In this case, the original system S is denoted as 5(-), and T 
is called component of SifT). More complex constructions are denoted similarly, 
e.g., £1(CP“'‘'',M(CP“’’)) and ,B(VP“'‘'') for the configuration depicted in Fig. 1(b) 
and Fig. 1(c), respectively. 




(a) 5(T) 





(c) Z3(VP 



(b) 

£:(CP”‘'',A(CP“‘’)) 



Fig. 1. Composition of systems. 



Many complexity-theoretic and cryptographic properties of systems and par- 
ticularly of algorithms are defined in terms of their asymptotic behavior with 
respect to some security parameter k. Thus, in the sequel, when speaking of a 
“system” S, we will rather mean a family (Sk)ken parameterized by k, where 
each Sk is a system in the sense described above. 
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3.2 A Notion of Efficiency for Systems 

An algorithm B is said to be computationally efficient if its running time is 
bounded by a polynomial in its input size and the security parameter k. Simi- 
larly to the computational efficiency of algorithms, we are interested in a certain 
notion of efficiency for systems S and constructions based on them. However, 
since a system S is not necessarily described by an algorithm, the usual formu- 
lation in terms of the number of computational steps is not sufficiently general. 
A more abstract approach to overcome this problem is to assign to each (A, J^)- 
system S a cost function c with range specifying the amount of a certain 
resource (e.g. time), needed to process an input. For simplicity, we will assume 
that these costs only depend on the actual input, i.e., c is a function mapping 
elements from X to Additionally, the costs c of a composite system B{V) 
must be compatible with the costs c of the underlying component V, i.e., for any 
input X to B{V), c{x) is at least as large as the sum of the costs c{xi) for all 
queries xi, . . . ,x„ sent by to V while processing x. 

Similarly to the usual notion of computational efficiency of algorithms, we 
say that a system S (or, more precisely, the class {Sk)k£N of systems Sk with 
cost functions Ck) is cost-efficient if Cfc(x) is bounded by a polynomial in the 
input length |a;| and the security parameter k, i.e., Ck{x) < p{\x\,k) for some 
polynomial p. For two systems U and V, let Fiy /U) be the set of all deter- 
ministic systems® B{-) such that the costs of the system B{V) are bounded by 
a polynomial in the costs of the system U and the security parameter k. This 
means that, for any B{-) G r{V/l4), the construction B{V) is as cost-efficient (up 
to a polynomial factor) as U, and, in particular, if the system U is cost-efficient, 
then so is the system B{V). 

We will see in Section 6 that the entropy of the output of a system expressed 
in terms of the costs to produce this output is a measure allowing for deciding 
whether a certain reduction is possible. Let the system Sk be a random function 
with cost function Ck which is monotonically increasing in its inputs, and let 
Yi, . . . , Yn^ be the sequence of outputs of Sk on inputs 1, . . . ,nt, where n* is the 
maximal input x such that Ck{x) < t. The functions and are defined, 
based on two different entropy measures, as 

:=^o(n,... and h^^{t) ■.= H^{Y^, . . . ,Yr,^), 

respectively, where Hq{Z) := log 2 \Z\, and where Hoo is the min-entropy (defined 
as Hoo{z) := — log 2 max^g^: P^(z)). That is, for any bound t on the costs Ck 
determining a maximum input nt, the quantities hg^{t) and h^^{t) measure 
the entropy of the outputs of the system Sk for inputs 1 ,... ,nt (where the 
probability is taken over the internal randomness of Sk)- Clearly, hfg and h!g are 
monotonically increasing functions, and h%{f) > hfg{t). 

® The restriction to deterministic systems B{-) does not restrict the generality of our 
results. It simply implies that any randomness to be used by B{-) must be modeled 
explicitly (by a random system attached to B{-)). 




Indifferentiability, Impossibility Results on Reductions 



29 



3.3 Cryptosystems and Security 

A cryptosystem as well as any cryptographic primitive can generally be modeled 
as a random system providing interfaces to certain players. Usually, these players 
are either honest parties or controlled by an adversary. In this paper, we will be 
concerned with settings where the cryptographic primitives can be accessed by 
the honest players and the adversary in some predefined way. As an example, 
consider a publicly accessible resource (e.g., a random oracle or a public random 
string), where the interfaces to all players are identical. In this case, a possible 
adversary can access exactly the same information as the honest parties. Another 
example is a private resource, (e.g., a source of private randomness), to which 
the adversary is assumed to have no (direct) access at all. 

In general, one might want to model situations where the adversary has some 
partial access to a cryptographic primitive. We thus define a resource S to be 
a random system with two interfaces, called private and public, respectively. 
In the following, we will think of the private and the public interface as being 
accessible by the honest parties and the adversary, respectively. A resource S is 
called public if the private and the public interface are identical (i.e., the answers 
to identical queries are identical). 

Let U and V be resources. Similarly to the set Fiy/U), we denote by F'^{V /U) 
the set of deterministic systems B{-) such that the costs of the system B{V) := 
yB(VP"'') resulting from connecting B{-) to the private interface of V (cf. Fig. 1(c)) 
are polynomially bounded by the costs of U and a security parameter k. 

In the following, we think of a cryptosystem C as being a resource (with a 
private and a public interface, modeling the access of the honest parties and 
the adversary, respectively). The security of a cryptosystem C is characterized 
relative to an ideal cryptosystem C which by definition is secure. Obviously, this 
requires the ability to compare the security of cryptosystems, i.e., it needs to be 
specified what it means for a cryptosystem C to be at least as secure as another 
cryptosystem C . The following definition is based on ideas proposed by Canetti 
[4,5], and by Pfitzmann and Waidner [14,15] (for the case of static adversaries), 
adapted to our notion of systems. 

Let C and C be two cryptosystems, and consider the configuration depicted 
in Fig. 1(b), where £{■,■) is a random system with binary output, called envi- 
ronment. 

Definition 1. C is said to be at least as secure as C' , denoted C >- C , if for 
all environments £ the following holds: For any attacker A accessing C there is 
another attacker A' accessing C such that the difference between the probability 
distributions of the binary outputs of £ , A{C^'^^)) and A'(C'^“'^)), 

|Prob[£:(CP"",A(CP"'^)) = 1] -Prob[£:(C'P"",A'(C'P"‘’)) = 1]|, 

is negligible in the security parameter k. 

Similarly, C is computationally at least as secure as C' , denoted C C , if, 
additionally, £, A, and A' are efficient algorithms. 
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4 Indifferentiability 

4.1 The Conventional Notion of Indistinguishability 

Before introducing indifferentiability as a generalization of indistinguishability, 
we first recall the standard definition of indistinguishability. Let S = {Sk)ken 
and T = (Tfc)fegN be two (ft, y)-systems. 

Definition 2. S and'T are (computationally) indistinguishable if for any (com- 
putationally efficient) algorithm V (called distinguisher j, interacting with one of 
these systems and generating a binary output (0 or 1), the advantage 

|Prob[D(5fc) = 1] - Prob[D(Tfc) = 1]| 

is negligible in the security parameter k. 

The relation between indistinguishability and the security of cryptosystems 
is summarized by the following proposition, which in its generalized form (The- 
orem 1) will be proven below. Let S and T be two resources which have only 
private interfaces. 

Proposition 2. If and only if S and T are indistinguishable, then, for every 
cryptosystem C{T) using T as a component, the cryptosystem C{S) obtained 
from C(T) by replacing the component T by S is at least as secure as C(T). 

The first implication, stating that the security of C{S) is an immediate conse- 
quence of the indistinguishability between S and T (and the security of C(T)), is 
well-known in cryptography. On the other hand, to our knowledge, the (simple) 
observation that this condition is also necessary in general has not previously 
been stated explicitly. 

It is important to note that Proposition 2 only applies to settings where the 
resources have no public interfaces, i.e., a possible opponent has no direct access 
to any additional information correlated with the behavior of the systems. 

4.2 Generalization to Indifferentiability 

We will now extend the definition of indistinguishability to resources (with pri- 
vate and public interfaces, as defined in Section 3). A first attempt might be to 
consider a distinguisher T> accessing both the private as well as the public inter- 
faces of the resources. However, it turns out that such an approach leads to a too 
strong notion of indistinguishability (with respect to Proposition 2). This means, 
for instance, that there are resources S and T which are not indistinguishable 
(according to such a definition) while, for any cryptosystem C(7~) based on T, 
replacing T by 5 has no impact on its security, i.e., the second implication of 
Proposition 2 would not hold. 

A notion of indistinguishability overcoming this problem is formalized by the 
following definition, which, unlike the conventional definition, is not symmetric. 
Let S = (iSfc)fcgf!j and T = (Tfe)fcgN be two resources and let 5^“*^) and 

,'P{Tk'^'°)) denote the configurations of systems as depicted by Fig. 2 (a) 
and (b), respectively. 
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(a) 



(b) 



Fig. 2. Indifferentiability: The distinguisher T> for differentiating S from T is either 
connected to the system S or the system T. In the first case (a), T> has direct access 
to the private and the public interfaces of S, while in the latter case (b) the access to 
the public interfaces of T is replaced by an arbitrary intermediate system V. 



Definition 3. S is indifferentiable from T, denoted 5 IZ T, if for any system 
T> ( called distinguisher ) with binary output (0 or 1) there is a system V such 
that the advantage 

|Prob[P(5f",5r‘’) = l]-Vroh[V{Tr\V{Tr'")) = 1]| 

is negligible in the security parameter k. The indifferentiability is computational, 
denoted S [K T, if only computationally efficient algorithms are considered for 
T> and V . 

Note that indistinguishability is a special (symmetric) case of indifferentia- 
bility. Indeed, if the resources have no public interfaces, indifferentiability (Def- 
inition 3) is obviously equivalent to indistinguishability (Definition 2). 

One important point about our generalization of indistinguishability is that a 
similar relation between the security of cryptosystems and the indifferentiability 
of its components as the one stated in Proposition 2 (for indistinguishability) 
holds. The following theorem shows that indifferentiability is the exact (i.e., 
necessary and sufficient) criterion needed to make general statements about the 
security of cryptosystems when substituting their components. 

Let S = (iSfc)fcgN and T = (Tfe)fceN be two resources. 

Theorem 1. Let C range over the set of all cryptosystems. Then, 

SnT ^ 'iC:C{S)>C{T). 

In the computational case, the same equivalence holds when “\Z ” and V ” are 
replaced by ‘XL ” and “>r ”, respectively. 
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The theorem implies that if S is indifferentiable from T and if a cryptosys- 
tem C(T) based on T is secure, then so is C(S), the cryptosystem obtained from 
C(T) by replacing the component T by S. Note that the asymmetry of indif- 
ferentiability implies that there is an asymmetry on the right hand side of the 
equivalence in Theorem 1. In fact, even if security of C(S) implies security of 
C(T), then security of C(T) does not necessarily imply security of C(S). 




Fig. 3. Illustration for proof of Theorem 1 (“=^”). 



Proof. The proof is given for the information-theoretic case, where all systems 
might be computationally unbounded. It can however easily be adapted to hold 
for the computational case. To simplify the notation, set 

dvAk) ■■= \Proh[V{Sf\S^A = 1 ] - Pioh[D{rr\'P{rr'')) = 1 ]| 

where T> is a, distinguisher, V an additional system, and where the configurations 
of systems are specified by Fig. 2 (as in Definition 3). Similarly, define 

e£,c.A,A'{k) := |Prob[£:(C(5f''),M(5r")) = 1] - Proh[S{C{Tri,A'(TrA = 1]| 

where £ is an environment, C a cryptosystem, and where A, A' are attackers 
interacting with S and 'T, respectively (as shown in Fig. 3). The statement of 
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Fig. 4. Illustration for proof of Theorem 1 



the theorem can then be rewritten as 

VP : 3V : dx>,v{k) is negl. 4=^ VC : Vf : VVl : 3A! : es,c,A,A'{k) is negl. 

The idea for the proof is to relate both sides of this equivalence relation such 
that d'D,'p{k) = e£^c,A,A'{k) holds. 

Let us start with the first implication (“=^”). Let C be any cryptosystem, 
£ an environment and A an attacker. Define the distinguisher T> as the system 
resulting from C, £, and A being combined as shown in Fig. 3(a), and let V be 
the system such that dx>,v{k) is negligible in k. Finally, define the attacker A' 
as A{P) (cf. Fig. 3(b)). The two settings involving the system S (represented 
in Fig. 3(a) by solid lines and dashed lines, respectively) as well as the two 
settings involving the system P (Fig. 3(b)) are then obviously equivalent, i.e., 
the probabilities of their outputs are equal. Consequently, equals 

d-D,v{k), i.e., esfi^A,A’W is negligible. 

The second implication (“4=”) is proven similarly. Let T> be any distin- 
guisher. Let the cryptosystem C be identical to P,® and define the environment £ 
and the attacker Vl as a trivial system simply forwarding all queries as shown in 
Fig. 4(a). Let A' be an attacker such that es^c,A,A'{k) is negligible in k. Finally, 

® Motivated by a construction given in [6], one could also define a more “realistic” 
cryptosystem containing V such that, if V outputs 0, it performs some useful task, 
while, if V outputs 1, it behaves completely insecurely by revealing some secret 
information. 
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define V := A' (cf. Fig. 4(b)). Again, the two settings involving the system S 
(Fig. 4(a)) as well as the two settings involving the system T (Fig. 4(b)) are 
equivalent, i.e., dxi^vik) equals e£^c,A,A'{k) and is thus negligible. □ 

5 Reductions and Reducibility 

In cryptography one often asks whether a given system V can be used to con- 
struct a (seemingly stronger) system U which is specified by its functionality. 
If this is the case, one says that 14 is reducible to V. The formal definition of 
reducibility makes clear that this concept is strongly related to the notion of 
indistinguishability, or, in our generalized setting, to indifferentiability. 

Let U and V be two resources. 

Definition 4. U is information-theoretically securely (computationally se- 
curely) reducible to V, denoted U ^ V (U V), if there exists a ( computa- 
tionally efficient) algorithm B G /U) such that B{V) IZ U (B{V) \LlA). 

Analogously to indistinguishability and indifferentiability, the concept of re- 
ducibility is useful for cryptographic security proofs. The following theorem is a 
direct consequence of Theorem 1 and the above definition of reducibility. 

Theorem 2. Let C range over the set of all cryptosystems. Then, 

U^V ^ 3BGr'^{V/U)-.yC-.C{B{V))>C{U). 

In the computational case, the same statement holds when and ‘A” are 

replaced by “-Pr” and respectively. 

6 A Sufficient Criterion for Irreducibility 

The following theorem gives an easily verifiable sufficient criterion for a public 
resource U not to be reducible to another public resource V. This criterion will 
be formulated in terms of the entropy of the output generated by these resources, 
as defined in Section 3. 

Let U = (Wfc)fcgN and V = {Vk)k&n be two public resources with costs given 
by cu,^ and cv*., respectively. For convenience, let us assume that for fixed t, the 
entropies hff^ (f) and h^^ (t) are monotonically increasing in k. Informally speak- 
ing, the theorem states that U is not reducible to V if hff^ {t) grows “sufficiently 
faster than” h^^{t). 

Theorem 3. If for each fc G N and any polynomial p the function hff) grows 
asymptotically faster than the function h^^ op, then 14 ^ V. 

A similar theorem holds for the computational case. (In the proof given be- 
low, the main changes needed to obtain a computational version are indicated.) 
The proof mainly follows the lines of the proof of Proposition 1 given in Section 2: 
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It is shown that for any reduction B(-), there exists a distinguisher for differ- 
entiating B(V) from U. The idea is to let the distinguisher simulate B(V) and 
then check whether this simulation corresponds to the behavior of the resource 
it is connected to (U or B(V)). By an entropy argument, it can be concluded 
that this test fails (with high probability) if (and only if) the distinguisher is 
connected to U. 

Proof. It has to be shown that B{V) U for any B{-) G TP(V/W). By the 
definition of P'^fV /U), ,B(V)’s costs Ck are bounded by a polynomial p in the 
costs cuk of lAk and the security parameter k, 

Ck{x) < Pk{cuk{x)) ■ (1) 

Similarly to the proof presented in Section 2, we first give an explicit con- 
struction of a distinguisher for differentiating B(V) from U, and then show that 
it has all the desired properties. 

Construction of T> The distinguisher for differentiating B{V) from U 

has two interfaces (cf. Fig. 2 where S = B{V) and T = U) which we call PP"'*'' 
and PP"’’, respectively. 

For r G N, let the min-entropy Pfao{Yi ■ ■ - Yr) of all outputs Yi of the system 
Uk on inputs Xi := i (for i = 1, . . . ,r) be denoted as hk{r), and let I be some 
positive integer to be determined later. For simplicity, let us assume (without 
loss of generality) that the functions hk as well as are invertible, and that 
the outputs of V are single bits. 

T> is constructed as follows: First, T> sends queries Xj := j for j = 1, . . . ,l to 
interface 2 ?p“*’ and stores the received answers z\, . . . , zi (which by assumption 
are single bits). Then, T> subsequently simulates B{V) on test inputs Xi := i for 
i = 1, . . . ,n where n := (hk)~^{l + k), resulting in outcomes T/i- For the simula- 
tion of B, any query a;' G {1, . . . , ^} of to V is answered by the corresponding 
stored value Zx'- If x' > I, V stops with output 0. The same test inputs Xi are 
then sent to interface 'D'^™ , resulting in answers yt. If yi = iji for alH = 1, . . . , n, 
V outputs I, and 0 otherwise. 

The above construction of T> must be modified slightly in order to avoid the 
following technical problem: The stored values z\, . . . ,zi might be arbitrarily 
chosen by V, in which case they do not necessarily correspond to (potential) 
outputs of V. The number of queries of the simulated system B and, in the 
computational case, the running time of the simulation of B, might thus be 
unbounded when using Zi, . . . ,zi as answers for simulating B's queries. To over- 
come this problem, T> simply stops the simulation of B on input x after some 
maximal number tmax(a^) of queries (and, in the computational case, some max- 
imal number of computational steps) of B, where tmax(a;) (and t(nax(2^)) 

is the maximal number of queries (computational steps) of B when receiving 
correct answers to its queries. 

It remains to show that T> satisfies the following properties: 

(a) outputs 1 with negligible probability in k. 

(b) 2?(,B(VP’'"'), outputs 1 with certainty. 
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T> satisfies property (a). Note that V can only have output 1 if the n-tuples 
y = (7/1, . . . ,yn) and y = (j/i, . . . ,yn) are equal. It thus suffices to verify that 
the probability of this event is negligible in k. 

Since y is fully specified by the bits zi,. . . ,zi used for the simulation of B{V) 
(note that B is deterministic) there are at most 2* possible values for y. Let y 
be the set of these 2^ values. Obviously, y can only be equal to F if y G 3^. This 
happens with probability at most 

V Pviy) < 13^1 • maxPy(y) < 2' • = 2' • < 2"'= , 

y&y 

which concludes the proof of property (a). 



T> satisfies property (b). We first show that the property holds for I satisfying 

l>hUPk{{hS^J~\l + m, ( 2 ) 

where Pfc(-) is defined as in (1). Second, we prove that condition (2) is always 
satisfied for I large enough (but polynomially bounded in the computational 
case). 

By the definition of /i^, cu^ix) < + k) holds for all queries x = 

1, . . . , n. By assumption, the costs cu and c (of U and B{V), respectively) satisfy 
condition (1). The costs cy^{x') of Vk for each potential query x' of B to V are 
thus bounded by 



cvk(x') < PkiihuJ Hl + k))- 

Let a;max be the maximal query of P to V (i.e., x' < ccmax for all queries of B). 
It follows from the definition of that the length /' of the list containing V’s 
answers to the queries 1, . . . , Xmax satisfies 

l'<h°^,{pk{{h^J-\l + k))) . 

By construction, T> outputs 1 if the list of stored values zi, . . . , z; contains the 
(correct) answers to all queries x' of B to (note that, by assumption, B 

is deterministic). Clearly, this is the case if I' < I, which is true if I satisfies 
inequality (2). 

It remains to prove that (2) holds for I large enough: By assumption, for any 
/c G N, the function opk° {Puk^~^ grows slower than the identity function. 
Hence 



lim 

I— ¥00 



I 

hvkiPk{{huk)~^{l + k))) 



> 1 , 



which implies that (for any fixed k) there is a value for I satisfying (2) . 
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7 Applications 

7.1 Random Oracles, Asynchronous Beacons, and Finite Random 
Strings 

We will now apply the framework presented in the previous sections to prove 
separation results for random oracles, beacons, and finite random strings. Each 
of these cryptographic primitives can be modeled as a public resource S whose 
outputs only depend on the previous inputs (i.e., 5 is a random function, pro- 
viding identical private and public interfaces with input set ft = N and output 
set y = {0, 1}).^ Each query a; G A to 5 is answered by Rx where R = R 1 R 2 ■ ■ ■ 
is a (possibly infinite) bitstring randomly chosen according to some distribution 

Pr- 

Random oracles, beacons, and finite random strings only differ by the length 
of the string R and the cost function c. For a random oracle TZ, R has infinite 
length and the costs are c{x) := 1, or, alternatively, c{x) := |a:|, where |x| denotes 
the length of x. (In the following, we only need an upper bound for the costs 
of a random oracle, i.e., we will assume that c(x) < |x|.) For an asynchronous 
beacon Q, R is also an infinite bitstring, but the costs for the queries are higher, 
namely c(x) := x. On the other hand, for a finite random string T , the length 
I i? I of i? is given as a function in the security parameter k which is bounded by 
a polynomial p, and the costs are c{x) := C for some constant C. Moreover, for 
any query on input x with x > \R\ the output is 0. In the following, we say that 
a random oracle, beacon, or finite random string is uniform if R is uniformly 
distributed, and denote these objects as TZ, Q, and IF, respectively. 

7.2 Impossibility Results 

It is obvious that an asynchronous beacon can always be reduced to a random 
oracle (using an algorithm which merely passes on the inputs and outputs) and 
that a finite random string can always be reduced to a beacon (using the same 
trivial algorithm which additionally checks that the input is not larger than some 
predefined bound). The inverse reductions are, however, not possible. 

Theorem 4. The following irreducihility results hold for both the information- 
theoretic and the computational case (where is replaced by 

TZ Q and Q,-^ T . 

Proof. The main task required for the proof of this theorem is the computation 
of the entropies according to the definitions in Section 3. The assertion then 

^ We will assume that the outputs of random oracles, beacons and finite random 
strings are single bits. This entails no restriction of generality since any of these 
random functions providing outputs of some length I can efficiently be reduced to 
a corresponding random function with outputs of length 1 (as long as I grows only 
polynomially in the security parameter k). 
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follows directly from Theorem 3. For a random oracle, we obtain 

t 

and similarly, for an asynchronous beacon, 

= h%^{t)=t 

(independently of fc G N) . Since for a finite random string the length of R is given 
by a function in the security parameter k which is bounded by a polynomial p 
in k, we have 





if t < C 
otherwise. 



(for all fc G N). Note that the above expressions for and also hold 

if the respective systems are not uniform. □ 



Together with Theorem 2, one can conclude that a random oracle in general 
can not be replaced by any algorithm interacting with an asynchronous beacon, 
and similarly, a beacon can not be replaced by any algorithm interacting with 
a public finite random string without affecting the security of an underlying 
cryptosystem. The failure of the random oracle methodology can thus be seen 
as a direct consequence of each of the two irreducibility results of Theorem 4. 



8 Conclusions 

One crucial motivation for introducing the notion of indifferentiability is that it 
characterizes exactly when one can replace a subsystem of a cryptosystem by 
another subsystem without affecting the security. In contrast to indistinguisha- 
bility, indifferentiability is applicable in the important case of settings where a 
possible adversary is assumed to have access to additional information about 
a system. This generality is for instance crucial in the setting of the random 
oracle methodology, and our abstract framework yields as a simple consequence, 
actually of each of two different impossibility results, the impossibility result by 
Canetti, Goldreich and Halevi [6] stating that random oracles can not be imple- 
mented. In view of the highly involved arguments of [6] based on CS-proofs, we 
hope to have presented a more generic approach to arguing about such impossi- 
bility results, thus also applicable in other contexts where systems have public 
parameters or where an adversary can obtain side-information about secret pa- 
rameters. 
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Abstract. In earlier work, we described a “pathological” example of a 
signature scheme that is secure in the Random Oracle Model, but for 
which no secure implementatiou exists. For that example, however, it 
was crucial that the scheme is able to sign “long messages” (i.e., mes- 
sages whose length is not a-priori bounded). This left open the possibility 
that the Random Oracle Methodology is sound with respect to signa- 
ture schemes that sign only “short” messages (i.e., messages of a-priori 
bounded length, smaller than the length of the keys in use), and are 
“memoryless” (i.e., the only thing kept between different signature gen- 
erations is the initial signing- key). In this work, we extend our negative 
result to address such signature schemes. A key ingredient in our proof 
is a new type of interactive proof systems, which may be of independent 
interest. 



1 Introduction 

A popular methodology for designing cryptographic protocols consists of the fol- 
lowing two steps. One first designs an ideal system in which all parties (including 
the adversary) have oracle access to a truly random function, and proves the se- 
curity of this ideal system. Next, one replaces the random oracle by a “good 
cryptographic hashing function” such as MD5 or SHA, providing all parties (in- 
cluding the adversary) with a succinct description of this function. Thus, one 
obtains an implementation of the ideal system in a “real-world” where random 
oracles do not exist. This methodology, explicitly formulated by Bellare and Ro- 
gaway [1] and hereafter referred to as the random oracle methodology, has been 
used in many works (see some references in [5]). 

In our earlier work [5] we investigated the relationship between the secu- 
rity of cryptographic schemes in the Random Oracle Model, and the security 
of the schemes that result from implementing the random oracle by so called 
“cryptographic hash functions” . In particular, we demonstrated the existence of 
“pathological” signature schemes that are secure in the Random Oracle Model, 
but for which no secure implementation exists. However, one feature of these 
signature schemes was that they were required to sign “long messages”, in par- 
ticular messages that are longer than the length of the public verification-key. 
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Thus, that work left open the possibility that the Random Oracle Methodol- 
ogy may still be sound with respect to limited schemes that only sign “short 
messages” (i.e., messages that are significantly shorter than the length of the 
public verification-key). In this work we extend the negative result of [5] and 
show that it holds also with respect to signature schemes that are memoryless, 
and in addition are only required to sign “short messages” . That is: 

Theorem. 1 (sketch) There exists a memoryless (i.e., ordinary) signature 
scheme that is secure in the Random Oracle Model, hut has no secure imple- 
mentations by function ensembles. Furthermore, insecurity is demonstrated by 
an attack in which the scheme is only applied to messages of poly -logarithmic 
length (in the security parameter). 

Indeed, the improvement of Theorem I over the corresponding result of [5] is 
only in the “furthermore” clause. 

Our proof extends the technique from [5] of constructing these “pathological” 
signature schemes. Intuitively, in these schemes the signer first checks whether 
the message to be signed contains a “proof of the non-randomness of the oracle” . 
If the signer is convinced it performs some highly disastrous action, and otherwise 
it just employs some secure signature scheme. Such a scheme will be secure in 
the Random Oracle Model, since the the signer is unlikely to be convinced that 
its oracle is not random. In a “real world implementation” of the scheme, on 
the other hand, the oracle is completely specified by a portion of the public 
verification-key. The attacker, who has access to this specification, can use it to 
convince the signer that this oracle is not random, thus breaking the scheme. 
The “proof of non-randomness” that was used in [5] was non-interactive, and 
its length was longer than the verification-key, which is the reason that it is 
not applicable to “short messages” . The crux of our extension is a new type 
of interactive proof systems, employing a stateless verifier and short messages, 
which may be of independent interest. 

To prove “non-randomness” of a function, we would like to show that there 
exists a program that can predict the value of this function at “sufficiently many” 
points. However, it seems that such proof must be at least as long as said pro- 
gram. In our application, the proof needs to predict a function described in a 
portion of the verification-key, hence it needs to be of length comparable to that 
portion. But we want a signature scheme that only signs short messages, so the 
attacker (prover) cannot submit to the signer (verifier) such a long proof in just 
one message. It follows that we must use many messages to describe the proof, 
or in other words, we must have a long interaction. But recall that in our ap- 
plication, the proof has to be received and verified by the signing device, which 
by standard definitions is stateless.^ Thus, the essence of what we need is an 
interactive proof with a stateless verifier. 

At a first glance, this last notion may not seem interesting. What good is 
an interaction if the verifier cannot remember any of it? If it didn’t accept after 

^ Indeed, the statelessness condition is the reason that a non-interactive information 
transfer seems a natural choice, but in the current work we are unwilling to pay the 
cost in terms of message length. 
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the prover’s first message, why would it accept after the second? What makes 
this approach workable is the observation that the verifier’s state can he kept 
by the prover, as long as the verifier has some means of authenticating this 
state. What we do is let the verifier (i.e., signer) emulate a computation of a 
Turing machine M (which in turn verifies a proof provided by the prover) , and 
do so in an authenticated manner. The messages presented to the verifier will 
have the form (cc, cr, aux), where cc is a compressed version of an instantaneous 
configuration of the machine, ct is a “signature on cc” , and aux is an auxiliary 
information to be used in the generation of a compressed version of the next 
configuration. If the signature is valid then the verifier will respond with the 
triple (cc', cr', aux'), where cc' is a compressed version of the next configuration, 
cr' is a “signature on cc'” , and aux' is an auxiliary information regarding its 
update. 

Relation to the Adversarial- Memory Model. Our approach of emulating a com- 
putation by interaction between a memoryless verifier and an untrusted prover 
is reminiscent of the interaction between a CPU and an adversarially-controlled 
memory in the works of Goldreich and Ostrovsky [7] and Blum et al. [2]. In- 
deed, the technique that we use in this paper to authenticate the state is very 
close to the “on line checker” of Blum et al. However, our problem still seems 
quite different than theirs. On the one hand, our verifier cannot maintain state 
between interactions, whereas the CPUs in both the works from above maintain 
a small (updatable) state. On the other hand, our authenticity requirement is 
weaker than in [7,2], in that our solution allows the adversary to “roll back” the 
memory to a previous state. (Also, a main concern of [7], which is not required 
in our context, is hiding the “memory-access structure” from the adversary.) 



Organization. We first present our interactive proof with stateless verifier while 
taking advantage of several specific features of our application: We start with an 
overview (Section 2), and provide the details in Section 3. In Section 4 we then 
sketch a more general treatment of this kind of interactive proofs. 

2 Overview of Our Approach 

On a high level, the negative result in our earlier work [5] can be described 
as starting from a secure signature scheme in the Random Oracle Model, and 
modifying it as follows: The signer in the original scheme was interacting with 
some oracle (which was random in the Random Oracle Model, but implemented 
by some function ensemble in the “real world”). In the modified scheme, the 
signer examines each message before it signs it, looking for a “proof” that its 
oracle is not random. If it finds such a convincing “proof’ it does some obviously 
stupid thing, like outputting the secret key. Otherwise, it reverts to the origi- 
nal (secure) scheme. Hence, the crucial step in the construction is to exhibit a 
“proof’ as above. Namely, we have a prover and a verifier, both polynomial-time 
interactive machines with access to an oracle, such that the following holds: 
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~ When the oracle is a truly random function, the verifier rejects with over- 
whelming probability, regardless of what the prover does. (The probability 
is taken also over the choice of the oracle.) 

— For any polynomial-time function ensemble,^ there is a polynomial-time 
prover that causes the verifier to accept with noticeable probability, when 
the oracle is implemented by a random member of that ensemble. In this 
case, the prover receives a full description of the function used in the role of 
the oracle. (In our application, this description is part of the verification-key 
in the corresponding implementation of the signature scheme.) 

In [5] we used correlation-intractable functions to devise such a proof system.^ 
However, simpler constructions can be obtained. For example, when the oracle 
is implemented by a polynomial-time function ensemble, the prover could essen- 
tially just send to the verifier the description of the function that implements 
the oracle. The verifier can then evaluate that function on several inputs, and 
compare the outputs to the responses that it gets from the oracle. If the outputs 
match for sufficiently many inputs (where sufficiently many means more that 
the length of the description), then the verifier concludes that the oracle cannot 
be a random function. Indeed, roughly this simplified proof was proposed by 
Holenstein, Maurer, and Renner [10]. We remark that both our original proof 
and the simplified proof of Holenstein et ah, are non-interactive proofs of non- 
randomness: The prover just sends one string to the verifier, thus convincing it 
that its oracle is not a random function. 

However, implementing the proof in this manner implies that the attacker 
must send to the verifier a complete description of the function, which in our 
application may be almost as long as the verification-key. In terms of the resulting 
“pathological example” , this means that the signature scheme that we construct 
must accept long enough messages. 

Clearly, one can do away with the need for long messages, if we allow the sig- 
nature scheme to “keep history” and pass some evolving state from one signature 
to the next. In that case the attacker can feed the long proof to the scheme bit 
by bit, and the scheme would only act on it once its history gets long enough. In 
particular, this means that the signature scheme will not only maintain a state 
(between signatures) but rather maintain a state of a-priori unbounded length. 
Thus, the negative result will refer only to such signature schemes, while we seek 
to present a negative result that refers also to stateless signature scheme, and in 
particular to ones that only sign “short messages”. 



^ A polynomial-time function ensemble is a sequence J- — {Fk}keN of families of func- 
tions, Fk = {fs ■ {0, 1}* —>-{0, i}»=) such that there exists a polynomial- 

time algorithm that given s and x returns fs{x). In the sequel we often call s the 
description or the seed of the function fs. 

® We used (non-interactive) CS-proofs (cf. [13]) to make it possible for the verifier to 
run in fixed polynomial time, regardless of the polynomial that bounds the running 
time of the ensemble. 
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In this work we show how such a result can be obtained. Specifically, we 
present a signature scheme that operates in the random-oracle model, with the 
following properties: 

~ The scheme is stateless: the signer only keeps in memory the secret key, and 
this key does not evolve from one signature to the next. 

— The scheme is only required to sign short messages: On security parameter 
fc, the scheme can only be applied to messages whose length is less than k. 
Furthermore, one could even restrict it to messages of length sub-linear in k 
(e.g., polylog(fc)). 

— The scheme is secure in the Random Oracle Model: When the oracle is imple- 
mented by a truly random function, the scheme is existentially unforgeable 
under an adaptive chosen-message attack. 

— The scheme has no secure implementation: When the oracle is implemented 
by any function ensemble (even one with functions having description length 
that is polynomially longer than k), the scheme is completely breakable 
under an adaptive chosen-message attack. We remark that in this case the 
function’s description is part of the verification-key.'^ 

To construct such a scheme we need to design a “proof system” that only uses 
very short messages. As opposed to previous examples, we will now have an 
interactive proof system, with the proof taking place during the attack. Each 
communication-round of the proof is being “implemented” by the attacker (in 
the role of the prover) sending a message to be signed, and the signer (in the 
role of the verifier) signing that message. 

The ideas that make this work are the following: We start from the aforemen- 
tioned non-interactive proof (of “non-randomness”), where the verifier is given 
the description of a function, and compares that function to its own oracle (i.e., 
compares their values at sufficiently many points). Then, instead of having the 
verifier execute the entire test on its own, we feed the execution of this test to the 
verifier “one step at a time” (and, in particular, the input function is fed “one 
step at a time”). Namely, let M be the oracle Turing machine implementing the 
aforementioned test. The adversary provides the verifier with the relevant infor- 
mation pertaining to the current step in the test (e.g., the state of the control 
of M and the character under the head) and the verifier returns the information 
for the next step. This requires only short messages, since each step of M has a 
succinct description. 

To keep the security of the scheme in the Random Oracle Model, we need 
to make sure that the adversary can only feed the verifier with “valid states” 
of the machine M. (Namely, states that can indeed result from the execution of 
this machine on some input.) To do that, we have the verifier authenticate each 
step of the computation. That is, together with the “local information” about 

In contrast, if the function’s description is only part of the signing-key then using 
any pseudorandom function [6] would yield a secure signature scheme. However, this 
would not be an application of the Random Oracle Methodology, which explicitly 
refers to making the function’s description public. 
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the current step, the verifier also computes an authentication tag for the “global 
state” of the machine in this step, which is done using Merkle trees [12]. Such 
authentication has the property that it can be computed and verified using only 
the path from the root to the current leaf in the tree, and the authentication 
tag itself is very short. A little more precisely, the current configuration of the 
machine M (using some standard encoding) is viewed as the leaves of a Merkle 
tree, and the verifier provides the prover with an authentication tag for the root 
of this tree. Then a typical step in the proof proceeds as follows: 

1. The attacker sends to the verifier the “relevant leaf’ of the tree (i.e., the one 
containing the head of M), together with the entire path from the root to 
that leaf (and the siblings for that path), and the authentication tag for the 
root. 

2. The verifier checks the authentication tag of the root and the validity of the 
root-leaf path (using the siblings). If everything is valid, then the verifier 
executes the next step of M, and returns to the attacker the updated path 
to the root, and an authentication tag for the new root. 

If the machine M ever enters an accept state, then the verifier accepts. This proof 
can still be implemented using only short messages, since the root-leaf path has 
only logarithmic depth. As for security, since it is infeasible for the attacker to 
“forge a state” of M, then the verifier will accept only if the machine M indeed 
has an accepting computation. 

3 The Details 

We now flesh out the description from Section 2. We begin in §3.1 with the 
basic test that we are going to implement step-by-step. In §3.2 we describe the 
Merkle-tree authentication mechanism that we use, and in §3.3 we describe the 
complete “interactive proof system”. Finally, we show in §3.4 how this proof 
system is used to derive our counter-example. 

As we did in [5] , we avoid making intractability assumptions by using the ran- 
dom oracle itself for various constructs that we need. For example, we implement 
the Merkle-tree authentication mechanism (which typically requires collision- 
resistant hash functions) by using the random oracle. We stress that we only 
rely on the security of this and other constructs in the Random Oracle Model, 
and do not care whether or not its implementation is secure (because we are 
going to demonstrate the insecurity of the implementation anyhow). Formally, 
in the context of the proof system, the security of the constructs only effects the 
soundness of the proof, which in turn refers to the Random Oracle Model. 

In both the basic test and the authentication mechanisms we use access to 
an oracle (which will be a random function in the Random Oracle Model, and a 
random member in an arbitrary function ensemble in the “real world” ) . When we 
work in the Random Oracle Model, we wish these two oracles to be independent. 
Thus, we use the single oracle to which we have access to define two oracles that 
are independent if the original oracle is random (e.g., using the oracle O, we 

define oracles Oi{x) 0(i,x)'). 




46 



R. Canetti, O. Goldreich, and S. Halevi 



In the rest of this section, we assume that the reader is familiar with the 
notion of a polynomial-time function ensemble (as reviewed in Footnote 2). 

3.1 The Basic Test 

Our starting point is a very simple non-interactive “proof of non-randomness” 
of an oracle O. (The basic idea for this proof is described by Holenstein et al. in 
[10].) The verifier is a (non-interactive) oracle Turing machine, denoted M, which 
is given a candidate proof, denoted tt, as input. The input tt is supposed to be a 
program (or a description of a Turing machine) that predicts O. Intuitively, if O 
is random then no tt may be successful (when we try to use it in order to predict 
the value of O on more than [tt] predetermined inputs). On the other hand, if O 
has a short description (as in case where it is taken from some function ensemble) 
then setting tt to be the program that computes O will do perfectly well. The 
operation of M, on security parameter k, input tt and access to an oracle O, is 
given below: 

Procedure M‘^(l*^, tt): 

1. Let n = [tt] be the bit length of tt. 

(tt is viewed as a description of a Turing-machine.) 

2. For z = 1 to 2n -I- fc, let yi ^ 0{i) and Zi ^ 7t(z). 

3. If yi and Zi agree on their first bit for all z G [1..2n -I- k], then accept. 

4. Else reject. 

Below it will be convenient to think of the machine M as having one security- 
parameter tape (a read-only tape containing 1^), one “regular” work tape 
that initially contains tt, one oracle query tape and one oracle reply tape (the 
last having just a single bit, since we only look at the first bit of the an- 
swer). A configuration of this machine can therefore be described as a 4- 
tuple c = {q,r,w, sp) describing the contents of each tape (i.e., q describes 
the query, r the reply, w the contents of the work-tape and sp the security- 
parameter). By convention, we assume that the description of each tape in- 
clude also the location of the head on this tape, and that the description of 
the work tape also includes the state of the finite control. Thus, for the above 
machine M, we always have jgj = log(2|7r| -I- fc) -|- loglog(2|7r| -|- k), jrj = 1, 
|w| < k| -I- Sfc(7r) -I- log(2|7r| -|- fc) -|- log(|7r| -|- s(7r) -|- log(2|7r| -|- k)) 0(1), 

jspj = k, where Sfc(7r) is the space require for computing 7 t(z) for the worst 
possible i G [2|7r| k]. It follows that jcj = 0(|7r| -|- Sfe(7r) -|- k). 

Note that M itself is not a “verifier in the usual sense”, because its running 
time may depend arbitrarily on its input. In particular, for some inputs tt (de- 
scribing a non-halting program), the machine M may not halt at all. Nonetheless, 
we may analyze what happens in the two cases that we care about: 

Proposition 2 (Properties of machine M): 

1. Random oracle: For security parameter k, if the oracle O is chosen uniformly 

from all the Boolean functions, then 

Pr [3 TT G {0,1}* s.t. M‘^(1^, tt) accepts] < 2“^ 
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2. Oracle with succinct description: For every function ensemble {fs : {0, 1}* — >■ 
{0) !}}se{o,i}* (having a polynomial-time evaluation algorithm), there exists 
an efficient mapping s ^ tTs such that for every s and every k it holds that 
(1*, TTg) accepts in polynomial- time. 

Proof Sketch. In Item I, we apply the union bound on all possible (i.e., infinitely 
many) tt’s. For each fixed tt G {0, 1}*, it holds that the probability that M® (1^, tt) 
accepts is at most where the probability is taken uniformly over all 

possible choices of O. In Item 2, we use the program obtained by hard- wiring 
the seed s into the polynomial-time evaluation algorithm associated with the 
function ensemble. □ 



3.2 Authenticating the Configuration 

We next describe the specifics of how we use Merkle trees to authenticate the 
configurations of the machine M. In the description below, we view the configu- 
ration c = (g, r, w, sp) as a binary string (using some standard encoding). 

We assume that the authentication mechanism too has access to a random 
oracle, and this random oracle is independent of the one that is used by the 
machine M . Below we denote this “authentication oracle” by A. To be concrete, 
on security parameter fc, denote £out = ^out(^) = |"log^(fc)] and assume that 
the oracle is chosen at random, from all the functions A : {0, 1 }* — >■ {0, 1 }^°“*. 
(Actually, we may consider the functions A : { 0 , — >• { 0 , 1}^°“*.) We stress 
again that we do not lose much generality by these assumptions, as they can be 
easily met in the Random Oracle Model. Also, when the security parameter is 
k, we use a random £out-bit string for authentication key, which we denote by 
ak €r {0,1}^°"‘. 

To authenticate a configuration c (on security parameter k, with access to an 
oracle A, and with key ak), we first pad the binary encoding of c to length 2*^ Tout 
(where d is an integer). We then consider a complete binary tree with 2^^ leaves, 
where the Fth leaf contains the i’th £out-bit chunk of the configuration. Each 
internal node in this tree contains an ^out-bit string. For a node at distance i 
from the root, this ^out-bit string equals A(i, left, right), where left and right 
are the f'out-bit strings in the left and right children of that node, respectively. 
The authentication tag for this configuration equals A(d, ak, root), where root is 
the £out-bit string in the root of the tree. 

The security property that we need here is slightly stronger than the usual 
notion for authentication codes. The usual notion would say that for an attacker 
who does not know the key ak, it is hard to come up with any valid pair (config- 
uration, tag) that was not previously given to him by the party who knows ak. 
In our application, however, the verifier is only presented with root -leaf paths in 

® The choice of lout{k) = |~log^(fc)] is somewhat arbitrary. For the construction below 
we need the output length iout to satisfy oj(log k) < iout{k) < o{k/ log fc), whereas the 
input length should be at least 2fout(fc) -faj(logfc). (Note that 2fout(fc) -f w(logfc) < 
3^out(fc).) 
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the tree, never with complete configurations. We therefore require that it is hard 
even to come up with a single path that “looks like it belongs to a valid configura- 
tion” , without this path being part of a previously authenticated configuration. 
We use the following notions: 

Definition 3 (valid paths) Let A : {0, 1}* — >■ {0, 1}^°“* be an oracle and ak G 
{0, be a string as above. A valid path with respect to A and ak is a triple 

■ ■ CTd), {{vi^o,Vi^i),...,{vd, 0 ,Vd,l)), t) 

where the Ui ’s are bits, and the Vi^b ’s and t are all £out-bit strings, satisfying the 
following conditions: 

1. For every i = 1, d — 1, it holds that Vi^a-i = A{i, Wi+i, 0 ) Vi+ip) . 

2. t = A{d,dk,A{Q,vifi,vi^i)). 

This path is said to be consistent with the configuration c if when placing c in the 
leaves and propagating values described above, ^ then for every i = 1, the 

node reached from the root by following the path a\ - ■ ■ Gi is assigned the value 
Vi, at, and the sibling of that node is assigned the value 

In this definition, Vi,ai is the value claimed for the internal node reached from 
the root by following the path a\ - ■ ■ <7i. The value claimed for the root is 

def 

Vo = ^(0, and this value is authenticated by A(d, ak, vg), which also 

authenticates the depth of the tree. Indeed, only the value of the root is directly 
authenticated, and this indirectly authenticates all the rest. 

Fix some £out G N, and let .4 be a random function from {0, 1}* to {0, 
and ak be a random ^out-bit string. Consider a forger, F, that can query the 
oracle A on arbitrary strings, and can also issue authentication queries, where 
the query is a configurations c and the answer is the authentication tag on c 
corresponding to A and ak. The forger F is deemed successful if at the end of 
its run it outputs a path (a,v,t) that is valid with respect to A and ak but is 
inconsistent with any of the authentication queries. One can easily prove the 
following: 

Proposition 4 For any ^out G N and any forger F, the probability that F is 
successful is at most where q is the total number of queries made by F 

{i.e., both queries to the oracle A and authentication queries). The probability is 
taken over the choices of A and ak, as well as over the coins of the forger F. 

Proof Sketch. Intuitively, the authentication of the root’s value makes it hard to 
produce a path that is valid with respect to A and (the unknown) ak but uses 
a different value for the root. Similarly for a path of a different length for the 
same root value. On the other hand, it is hard to form collisions with respect to 
the values of internal nodes (i.e., obtain two pairs (u,w) and {u',w') such that 
for some i it holds that A{i, u, w) = A{i, u' , w')). □ 



That is, an internal node at distance i from the root is assigned the value A{i, u, w), 
where u and w are the values assigned to its children. 
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3.3 An Interactive Proof of Non-randomness 

We are now ready to describe our interactive proof, where a prover can convince 
a “stateless” verifier that their common oracle is not random, using only very 
short messages. 

The setting is as follows: We have a prover and a verifier, both work in 
polynomial time in their input, both sharing a security parameter fc G N (encoded 
in unary), and both having access to an oracle, say O' : {0, 1}* — >■ {0, 1}^°“*. (The 
parameter £out is quite arbitrary. Below we assume for convenience that this is 
the same parameter as we use for the authentication scheme, namely £out = 
[log^(A:)] .)^ In this proof system, the prover is trying to convince the verifier 
that their common oracle in not random. Specifically, both prover and verifier 
interpret their oracle as two separate oracles, A and O (say, 0{x) = O'{0x) 
and A{x) = O' {lx)), and the honest prover has as input a description of a 
Turing machine that computes the function O. However, we place some severe 
limitations on what the verifier can do. Specifically, the verifier has as private 
input a random string ak G {0, but other than this fixed string, it is not 
allowed to maintain any state between steps. That is, when answering a message 
from the prover, the verifier always begin the computation from a fixed state 
consisting only of the security parameter k and the string ak. In addition, on 
security parameter k, the verifier is only allowed to see prover-messages of length 
strictly smaller than k. (In fact, below we only use messages of size polylog(fc).) 

The proof that we describe below consists of two phases. In the first (ini- 
tialization) phase, the prover uses the verifier to authenticate the initial config- 
uration of the machine M‘^(l^, x), where k is the security parameter that they 
both share, and x is some input that the prover chooses. For the honest prover, 
this input x will be the description of the Turing-machine that implements the 
oracle O. In the second (computation) phase, the prover takes the verifier step- 
by-step through the computation of M®(l^,x). For each step, the prover gives 
to the verifier the relevant part from the current authenticated configuration, 
and the verifier returns the authentication tag for the next configuration. The 
verifier is convinced if the machine M ever reaches the accepting state. 

For notational convenience, we assume below that on security parameter k, 
the verifier only agrees to authenticate configurations of M whose length is less 
than Indeed, in our application the honest prover will never need to use 

larger configuration (for large enough k). 



Initialization Phase. This phase consists of two steps. In the first step, the 
prover will use the verifier in order to authenticate “blank configuration” (lacking 
a real input) for the computation, whereas in the second step the prover will feed 
an input into this configuration and obtain (via interaction with the verifier) an 
initial configuration fitting this input. 

^ Note that even a binary oracle (i.e., £out = 1) suffices, since in the Random Oracle 
Model it is easy to convert one output length to another. 
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First Step. The prover begins this phase by sending a message of the form 
(‘Init’, 0, sb) to the verifier, where the integer sb < is an upper bound 

on the length of the configurations of M in the computation to come, and it 
is encoded in binary. In response, the verifier computes a blank configuration, 
denoted Cq, of length sb and sends the authentication tag for this configuration, 
with respect to oracle A and key ak. The blank configuration Cq consists of the 
security-parameter tape filled with 1^, all the other tapes being “empty” (e.g., 
filled with *’s), the heads being at the beginning of each tape, and the finite 
control being in a special blank state. Specifically, the work-tape consists of sb 
blanks (i.e., *’s), and the query-tape consists of £out(^)/2 = w(logA:) blanks.® 
We note that authenticating the blank configuration in a straightforward 
manner (i.e., by writing down the configuration and computing the labels of 
all nodes in the tree) takes time 0(sb), which may be super-polynomial in k. 
Nonetheless, it is possible to compute the authentication tag in time polynomial 
in k, because the configuration Cq is “highly uniform” . Specifically, note that the 
work tape is filled with *’s, and all the other tapes are of size polynomial in k. 
Thus, in every level of the configuration tree, almost all the nodes have the same 
value (except, perhaps, a polynomial number of them). Hence, the number of 
queries to A and total time that it takes to compute the authentication tag is 
polynomial in k. 

Conventions. For simplicity, we assume that the contents of the query-tape as 
well as the machine’s state are encoded in the first ^out(fc)-bit long block of the 
configuration. Typically, in all subsequent modifications to the configuration, we 
will use this block as well as (possibly) some other block (in which the “actual 
action” takes place) . We denote by (f) the bit-string describing the path from the 
root to the leaf that contains the i’th location in the work-tape. Needless to say, 
we assume that the encoding is simple enough such that (f) can be computed 
efficiently from i. 

Second Step. After obtaining the authentication tag for the blank configuration, 
the prover may fill in the input in this configuration by sending messages of 
the form (‘Init’, i,b,pi,pi,t) to the verifier. Upon receiving such a message, the 
verifier checks that ((I),pi,t) and {{i),Pi,t) are valid paths w.r.t. A and ak, that 
path Pi shows the heads at the beginning of their tapes and the control in the 
special “blank state”, and that path pi shows the f’th location in the work-tape 
filled with a *. In case all conditions hold, the verifier replaces the contents of the 
f’th location in the work-tape with the bit b, recomputes values along the path 
from that tape location to the root, and returns the new authentication tag to 
the prover. That is, the values along that path as recorded in pi correspond to 
a setting of the f’th location to ★, and setting this location to b typically yields 
new values that propagate from this leaf up-to the root. 

® On input (1^, x), the query tape of M is of size log2(2|a;| -|- k). For ensemble F, the 
honest prover will use \x\ < poly(fc) + 0(1), and so the length of the query tape 
would be Oilogk). 
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Thus, using \x\ rounds of interaction, the honest prover can obtain (from the 
verifier) the authentication tag on the initial configuration of M(l^,a;), where x 
is a string of the prover’s choice. Note that a cheating prover may obtain from 
the prover an authentication tag that does not correspond to such an initial 
configuration. (In fact, even the honest prover obtains such tags in all but the 
last iterations of the current step.) 

Computation Phase. This phase begin with a message of the form 
(‘Comp’, p\,t) that the prover sends. The verifier checks that ((l),pi,t) is a 
valid path, and that p\ shows the heads at the beginning of their tapes and the 
control in the special “blank state” . If these conditions hold, the verifier changes 
the state to the initial state of M , recomputes the values on the path pi from the 
initial tape location to the root, and returns the new authentication tag to the 
prover. (In fact, one may view this step as belonging to the initialization step.) 

Thereafter, upon receiving a message of the form (‘Comp’, i, j,Pi,Pi,Pj,t), 
wherej € — (and indeed when j =iit holds that Pi = p)), the verifier 

checks that {{l),pi,t), {{i),pi,t), {{j),pj,t), are all valid paths. Furthermore, it 
checks that pi contains the head position and pj describes a legal contents of 
the position that the head will move to after the current step. That is, pi and 
Pi provide sufficient information to determine the single-step modification of 
the current configuration (which may include a movement of some heads and 
a change in the contents of a single symbol in some of the tapes). In case all 
conditions hold, then the verifier executes the current step (making a query to 
its oracle O if this step is an oracle query) , recomputes the values on the three 
paths to the root, and returns the new authentication tag to the prover. If after 
this step the machine M enters its accept state, the verifier accepts. 

It can be seen that the honest prover can use these interaction steps to take 
the verifier step-by-step through the computation of M. It follows that if the 
input to the honest prover is indeed a polynomial-time machine that computes 
the function O, then the verifier will halt and accept after polynomially many 
steps. We conclude this subsection by showing that the above constitutes a proof 
system for non-randomness (satisfying additional properties that we will need in 
the next subsection). 

Proposition 5 The above construction constitutes a proof system with the fol- 
lowing properties: 

Efficiency. Each verifier step can he computed in time polynomial in the security 
parameter k. 

Stateless verifier. The verifier is stateless in the sense that it begins every 
step from the same state, consisting only of the security parameter k and its 
private input ak G {0,1}^°“*. Formally, the verifier replies to each incoming 
message m with E(l^,ak,m), where V is a fixed (efficiently computable) 
function^ 

® We slightly abuse notations here, and use V for both the verifier and the functions 
that it implements. 
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Soundness. If O' is chosen as a random function O' : {0,1}* — >■ (0, 

and ak is chosen at random in {0, then for every (possibly cheating) 

prover P it holds that 



Pro',ak 



^The verifier R® (l*,ak) accepts when talking to P‘^ 

< {q + ^out(^) • • 2“^°“* + 2“'" 



where q is the total number of queries that P makes to the oracle A and m 
is the total number of messages that it sends to the verifier V. 
Completeness with short messages. For every polynomial-time-computable 
function ensemble T , there exists a polynomial-time prover Pjf such that: 

1. For every choice of s € (0, and ak G (0 , the verifier 

R-^'’(l^,ak) always accepts when talking to Pj^{s). 

2. On security parameter k, the prover Pj^{s) only sends to the verifier 
poly(fc) many messages, each of length 0((logfc) • ^out(^)) = 0(log^ k). 



Proof Sketch. The only assertions that are not obvious are the soundness bound 
and the size of the messages. For the soundness bound, recall that (by Proposi- 
tion 2) when O' is a random function (and therefore also O is a random function), 
the probability that there exists an input x that makes M‘^(l^, a:) accept is at 
most 2“^. If there is no such input, then the only way to make accept is 
“forge” some valid paths, and (by Proposition 4) this can only be done with prob- 
ability at most Slightly more formal, consider the transcript of a proof 

in which P'^ causes P® to accept. Considering all the messages that P sent 
to V in this transcript, one can easily define a “depend-on” relation among then 
(namely, when one message contains an authentication tag that was obtained 
in a previous message). This, in turn, allows us to define the complete configu- 
rations that were “rightly authenticated” during this transcript (namely, those 
configurations that correspond to a computation that starts from the initial con- 
figuration of Mfc on some input x.) Hence, we either find an initial configuration 
from which M(l^, x) accepts (a probability 2“^ event), or we find a computation 
that begins from some non-initial configuration. Since the verifier never au- 
thenticates a non-initial configuration unless it sees a valid path belonging to a 
configuration that directly precedes it, the valid path belonging to the first non- 
initial configuration must be a forgery. (By making suitable oracle calls before 
sending each message to the verifier, we can convert the cheating prover to a 
forger that makes at most q -\- £out • 'm queries, and soundness follows.) 

As for the size of the messages sent by the honest prover, let T be any 
polynomial-time-computable functions ensemble. This means that there is a 
polynomial p(-) such that on security parameter k, specifying any function 
fs G Pk can be done using at most p{k) bits, and moreover, computing fs{x) 
for any |x| < k takes at most p{k) time. (Below we assume for convenience 
that p{k) > k.) For any fs G let be a description of a Turing machine 
computing fg. By the above, Itt^I = |s| -|- 0(1) < p{k) -\- 0(1). This implies 
that for any fs € Pk, the non-interactive verifier M(l^,7rs) runs in time at most 
0{k-\-2p{k))-p{k) = 0{p‘^{k)), and therefore it only has configurations of length 
at most 0{p^{k)). 




On the Random-Oracle Methodology 



53 



The honest prover Pj^, having access to s, can compute the description 
and take the verifier step-by-step through the execution of (1*, TTg), which 
consists only of 0{p^{k)) steps. It begins by sending a message (Tnif, 0, sb), 
with the bound sb being set to sb = 0{p^{k)), and in each step thereafter it only 
needs to send a constant number of paths in the tree, each of length log(sb). Since 
each node in the tree contains a string of length iout{k), it follows that the total 
length of the prover’s queries is 0(log(sb) • £out{k)) = O{£out{k) ■ log(p^(fc))) = 
O{£out{k) -logk). □ 



3.4 The Signature Scheme 

Combining the proof system from the previous section with the ideas outlined 
in Sections 1 and 2, it is quite straightforward to construct the desired signature 
scheme (summarized in the next theorem). 

Theorem. 6 (Theorem 1, restated) There exists a signature scheme S that is 
existentially unforgeahle under a chosen message attack in the Random Oracle 
Model, hut such that when implemented with any efficiently computable function 
ensemble, the resulting scheme is totally breakable under chosen message attack. 
Moreover, the signing algorithm of S is stateless, and on security parameter k, 
it can only be applied to messages of size poly-logarithmic in k. 

Proof. Let (Ppf,Tpf) be the proof system for “non-randomness” described in 
Section 3.3. Let S = (Gsig, S'sig, Csig) be any stateless signature scheme that is 
existentially unforgeable under a chosen message attack in the Random Oracle 
Model (we know that such schemes exist, e.g., using Naor-Yung [14] with the 
random oracle used in the role of a universal one-way hash function)). We view 
all the machines Ppf, Vp{, Gsig, S'sig, and Ysig as oracle machines (although Gsig, 
S'sig, or I4ig may not use their oracle). We modify the signature scheme to obtain 
a different signature scheme S' = {G' , S' ,V'). 

— On input {k being the security parameter), the key generation algorithm 

G' first runs Gsig to obtain a private/public key-pair of the original scheme, 
(sk,vk) ^ G^g(l*). Then it chooses a random ^out-bit “authentication key” 
ak G/j {0, l}Out(fc) l 3 y Vpf). The public verification key is just vk, 

and the secret signing key is the pair (sk, ak) . (We assume that the security 
parameter k is implicit in both vk and sk.) 

— On message m, signing key (sk,ak) and access to oracle O, the signature 
algorithm S' works as follows: If the message m is too long (i.e., jmj > log^ k) 
then it outputs an empty signature Otherwise, it invokes both the proof- 
verifier Vpi and the signer S'sig on the message m to get CTpf ^ V^{ak,m), 
and (Tsig ^ S®g(sk, m). 

If the proof- verifier accepts (i.e., Cpf = “accept”) then the signature consists 
of the secret key a = (csig, (sk, ak)). Otherwise, the signature is the pair 

— (^sig: 0”pf)- 

Alternatively, S' may return (S®g(sk, m), T), and we should note that in the (“real 
world”) attack described below only short messages are used. 
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~ The verification algorithm V' , on message m, alleged signature a = (ci, (T 2 ), 
verification key vk and access to oracle O, just invokes the original signature- 
verifier Vijig on the first part of the signature, outputting (vk, m, ai). 

It is clear from the description that this scheme is stateless, and that it can only 
be used to sign messages of length at most log^ k. It is also easy to see that 
with any implementation via function ensemble, the resulting scheme is totally 
breakable under adaptive chosen message attack. When implemented using func- 
tion ensemble T, an attacker uses the prescribed prover Py^ (of Proposition 5). 
Recall that the seed s for the function fg that is used to implement the oracle 
is included in the public key, so the attacker can just run Pj^{s). The attacker 
sends the prover’s messages to the signer S', and the size of these messages is 
0 (log^ k) < log^ k, where the constant in the O-notation depends on the ensem- 
ble T . The second component of the signatures on these messages are the replies 
from the proof- verifier From Proposition 5 we conclude that after signing 

polynomially many such messages, the proof-verifier accepts (with probability 
one), at which point the signing algorithm will output the secret signing key. 
Thus, we totally break the scheme’s implementation (by any function ensem- 
ble). 

Next we show that the scheme S' is existentially unforgeable under a chosen 
message attack in the Random Oracle Model. Informally, the reason is that in 
the Random Oracle Model a forger will not be able to cause the proof-verifier to 
accept, and thus it will be left with the task of forging a signature with respect 
to the original (secure) signature scheme. 

Formally, consider a polynomial-time forger F' , attacking the scheme S' , let 
€ = e{k) denote the probability that F' issues a forgery, and assume - toward 
contradiction - that e is non-negligible. Consider the invocations that the signing 
algorithm makes to the proof-verifier Vpf during the attack. Let S = S(k) be the 
probability that Vpf replies to some query with “accept”. Since we can view 
the combination of F' and the signing algorithm as a (cheating) prover P^ , 
Proposition 5 tells us that S < 9 ^/ 2 ^°“* +2~^ where q is bounded by the running 
time of F' (which is polynomial in k). Hence S is negligible. 

Next we show a polynomial-time forger Fgig against the original scheme S 
that issues a forgery with probability at least e — S, contradicting the security of 
S. The forger Fl^ig is given a public key vk that was generated by Gsig(l^), it has 
access to the signing oracle S'®g(sk, •) for the corresponding signing key sk, and 
also access to the random oracle O. It picks at random an “authentication key” 
ak € {0, l}Cut(fe)^ then invokes the forger F' on the same public key vk. 

When F' asks for a signature on a message m, the forger Fgig behaves much 
like the signature algorithm S'. Namely, if \m\ > log"^ k it returns T. Otherwise, 
it computes (Xpf ^ V^{ak,m), and it queries its signing oracle on m to get 
(Tsig ^ >5'^g(sk, to). If the proof- verifier accepts, CTpf = “accept”, then Fgjg aborts. 
Else it returns the pair cr = (CTsig,CTpf). If F' issues a forged message to' with 
signature (trj,CT 2 ) then Fgjg issues the same forged message to' and signature a'^. 
It is clear that Fgig succeeds in forging a signature if and only if F' forges a 
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signature without causing the proof- verifier V^f to accept, which happens with 
probability at least e — 6. □ 

Remark 7 (Message length) Tracing through the arguments in this section, 
it can be seen that the message-length can be decreased from log"^ k to u;(log^ k): 
It suffices to use a space-bound SB = w(log k), which yields a (prescribed) proof 
system with prover message of length w(log^ k), for any function ensemble. How- 
ever, achieving poly-logarithmic message length relies heavily on the fact that 
we use the random oracle for authentication, and on the fact that the random 
oracle yields authentication with “exponential hardness” . In Section 4 below, we 
instead use standard collision-intractable functions and message-authentication 
codes, that only enjoy “super-polynomial hardness” . In this case, the achievable 
message length would be 0(fc'^) for any desired (fixed) e > 0. 

4 A Proof System for Any NP-Language 

The description in Section 3 combined the specifics of our application (i.e., prov- 
ing non-randomness of an oracle) with the general ideas underlying the construc- 
tion of the new proof system. In this section, we apply the latter ideas in order 
to derive a new type of proof systems for any language in AfV. 

The model is similar to ordinary interactive proofs as in GMR [9] (and argu- 
ments as in BCC [3]), except that the verifier is stateless. That is, the verifier is 
represented by a randomized process that given the verifier’s input and the cur- 
rent in-coming message, determines the verifier’s next message. This process is 
probabilistic polynomial-time, but it cannot effect the verifier’s state. In particu- 
lar, the verifier’s decision to accept or reject (or continue in the interaction) will 
be reflected in its next message. (In a sense, the verifier will not even remember 
its decision, but merely notify the world of it.) 

The above model, per se, allows to prove membership in any NP-set, by 
merely having the prover send the corresponding NP-witness. However, we are 
interested in such proof systems in which the prover only sends short messages. 
This rules out the simple solution just suggested. But, as stated, this model does 
not allow to do much beyond using short NP- witnesses whenever they exist. The 
reason being that, from the verifier’s point of view, there is no “relation” between 
the various communication rounds, and the only function of the multiple inter- 
actions is to provide multiple attempts of the same experiment. The situation 
changes once we provide the verifier with an auxiliary secret input. This input 
is chosen uniformly from some domain and remains fixed throughout the run of 
the protocol. The goal of this auxiliary input is to model some very limited form 
of state that is kept between sending a message and receiving the response. 

To summarize, we are interested in proof systems (or arguments) that satisfy 
the following three conditions: 

1. In addition to the common input, denoted x, the verifier receives an auxiliary 
secret input, denoted s, that is chosen uniformly from some domain. As 
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usual, we focus on a probabilistic polynomial-time prover that also receives 
an auxiliary input, denoted y. 

2. The verifier employs a stateless strategy. That is, there exists a probabilis- 
tic polynomial-time algorithm V such that the verifier answers the current 
message m with V {x, s, m). 

3. The prover can only send short messages. That is, it can only send messages 
of length f(|a;|), where £{n) <C n (e.g., £(n) = y/n). 

One may think of such proofs as proving statements to a child: The verifier’s 
attention span limits us to sending it only £(n) bits at a time, after which its 
attention is diverted to something else. Moreover, once we again capture the 
verifier’s attention, it has already forgotten everything that had happened before. 

Assuming the existence of collision-resistant hash functions, we can show 
that such a proof system can emulate any proof system (having an efficient pre- 
scribed prover strategy). The emulation will only be computationally-sound 
(i.e., it is possible but not feasible to cause the verifier to accept false state- 
ments). In fact, we have already shown such a proof system: It is implicit in 
the description of Section 3, when one replaces the two different roles of A 
(see proof of Proposition 4) by a collision-resistant hash function and a message- 
authentication scheme, respectively. Indeed, the description in Section 3 referred 
to the emulation of a specific test, but it applies as well to the emulation of any 
ordinary verifier strategy (i.e., one that does maintain state between communica- 
tion rounds). Specifically, one may first transform the original interactive proof 
to one in which the prover sends a single bit in each communication round, and 
then emulate the interaction of the resulting verifier by following the descrip- 
tion in Section 3. Note that what we need to emulate in a non-trivial manner is 
merely the state maintained by the (resulting) verifier between communication 
rounds. 

Comments: Since anyhow we are obtaining only a computationally-sound in- 
teractive proof (i.e., an argument system), we may as well emulate argument 
systems of low (total) communication complexity (cf. Kilian [11]), rather than 
interactive proofs or NP-proofs.^^ This way, the resulting proof system will also 
have low (total) communication complexity (because the length of the state 
maintained by the original verifier between communication rounds need not ex- 
ceed the length of the total communication). (We stress that the original ar- 
gument systems of low communication complexity cannot be executed, per se, 
in the current model, because its soundness relies on the verifier’s memory of a 
previous message.) We also comment that (like in the description of Section 3), 

In fact, the existence of one-way functions suffices, but this requires a minor modi- 
fication of the argument used in Proposition 4. Specifically, instead of using a tree 
structure to hash configurations into short strings, we use the tree as an authentica- 
tion tree, where collision-resistant hashing is replaced by (length-decreasing) MAGs. 
Recall that interactive proof systems are unlikely to have low (total) communication 
complexity; see the work of Goldreich and Hastad [4]. The interested reader is also 
referred to a follow-up work by Goldreich, Vadhan and Wigderson [8]. 
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we can handle the case where the actual input (i.e., x) or part of it is sent to 

the verifier during the proof process (rather than being handed to it at the very 

start). 
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Abstract. In the setting of universal composability [CanOl], commit- 
ments cannot be implemented without additional assumptions such 
as that of a publicly available common reference string [CFOl]. Here, 
as an alternative to the commitments in the common reference string 
model, the use of random oracles to achieve universal composability 
of commitment protocols is motivated. Special emphasis is put on the 
security in the situation when the additional “helper functionality” 
is replaced by a realizable primitive. This contribution gives two 
constructions which allow to turn a given non-interactive commitment 
scheme into a non-interactive universally composable commitment 
scheme in the random oracle model. For both constructions the binding 
and the hiding property remain valid when collision-free hash functions 
are used instead of random oracles. Moreover the second construction 
in this case even preserves the property of perfect binding. 

Keywords: cryptographic protocols, universal composition, commit- 

ment, random oracle. 



1 Introduction 

The framework [CanOl] for multi-party computations allows to formulate the 
security and, in particular, the composition of multi-party protocols in a very 
general way. It is possible to treat security notions for rather different multi-party 
tasks in a common way. For this, protocols are compared to idealized versions of 
the respective protocol task. If a protocol “behaves” exactly like this idealization 
with respect to any attacker and in any environment, it is considered a secure 
realization of the protocol task in question. In the setting of [CanOl] an arbitrary 
environment surrounding the protocol execution is mimicked by an environment 
machine Z. Furthermore the environment machine Z serves as a distinguisher 
between a real protocol and the idealized version. A protocol is securely realizing 
an ideal functionality if no environment Z can distinguish between an execution 
of the real protocol with a real adversary and a run of the ideal functionality 
together with a simulator trying to mimic the effect of the real attack. For the 
purpose of distinguishing the environment machine may choose the inputs for all 
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parties, may see the outputs of all parties, and may interact with the adversary 
at any time during the protocol. 

This notion of security, which implies universal composability [CanOl], is very 
strict and it was shown in [CFOl], that an idealization of a commitment task 
cannot be securely realized in this sense without additional assumptions. (With 
additional assumptions, we mean special facilities protocol participants may use 
and which itself may not be securely realizable; as an example, consider pub- 
lic information ideally chosen from some predefined distribution. See below for 
details.) 

However, in [CF01,DN02,CLOS02], several protocols for securely realizing 
an idealization of a commitment functionality are presented; all of them are 
formulated in the common reference string model, i.e., all of them expect access 
to public information ideally drawn from some predefined distribution. 

The selection of this common reference string is crucial for the security of 
the commitment protocol. In particular, “imperfect” selections possibly influ- 
enced by an adversary may affect the security of the commitment protocol in 
a very severe way, as will be discussed in Section 3.1. The common reference 
string in [CFOl] serves as a public key to which the corresponding secret key 
is unknown by assumption. If, in the worst case, the adversary were allowed 
to choose the common reference string by himself then the binding property 
as well as the hiding property of a commitment scheme built on this common 
reference string would be compromised (an analogous statement holds for the 
constructions in [DN02,CLOS02]). This is especially dangerous as this security 
leak cannot be “detected”, because the public key is chosen with the appropri- 
ate distribution. As a different approach, we consider the use of random oracles 
for building bit commitment protocols. Of course, like the common reference 
string, random oracles are not realizable and the property of universal compos- 
ability is lost when concrete functions replace the random oracle calls. This is in 
accordance with other results like [CGH98,Nie02,GTK03,BBP03j. These contri- 
butions show explicitly that there are protocols which can be proven secure in 
the random oracle model, yet lose this security completely when instantiating 
the random oracles. In contrast to that, we show that there is a construction 
which turns a given bit commitment protocol into a protocol which is universally 
composable in the random oracle model and which remains binding and hiding 
when substituting the random oracles with a special class of functions (namely, 
collision-free hash functions). 

As a first solution one might think of using random oracles to derive a com- 
mon reference string with which universally composable bit commitment can be 
obtained. But if a random oracle would be replaced by any real hash function 
no general guarantee for the derived common reference string could be given 
and all protocols on its basis would be critical. To ensure the common reference 
string to be chosen at random one could think of deriving it by an interactive 
protocol which still ensures randomness of the common reference string when 
random oracles are replaced by real hash functions. But this is not the approach 
chosen here as this additional interactive protocol reduces the efficiency. 
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In this contribution we use random oracles in a different way to obtain uni- 
versal composability which ensures the properties binding and hiding even if the 
random oracles are replaced by arbitrary collision free hash functions. A random 
oracle will be used as a function which can be evaluated by every participant 
of the protocol, but which is not accessible to the environment machine. The 
equivocabiltiy of a bit commitment, which is important for simulatability, can 
then easily be obtained as in the ideal protocol no random oracle exists and 
the ideal adversary can determine the outcome of (simulated) evaluations of 
the random oracle. (Note that in [Nie02], a similar method was used to obtain 
non-committing encryption in the random oracle model.) 

Furthermore this limitation put up on the environment machine will make 
it impossible for the environment machine to generate commitments to strings 
unknown to the attacker thereby preventing attacks where the environment ma- 
chine uses a corrupted party as a relay to insert such bit commitments into the 
protocol. Specifically, we give two constructions to convert a bit commitment 
scheme into a universally composable bit commitment scheme using random ora- 
cles. Both constructions yield bit commitments which remain binding and hiding 
if the random oracle used is replaced by an arbitrary collision free hash function. 
The first and more simple construction however does not conserve the property 
of being perfectly binding, whereas the second construction yields a commitment 
scheme which is perfectly binding if the original commitment scheme was. 

2 Preliminaries 

2.1 The General Ftamework 

To start, we shortly outline the framework for multi-party protocols defined 
in [CanOl]. First of all, parties (denoted by P\ through P„) are modeled as 
interactive Turing machines (ITMs) (cf. [CanOl]) and are supposed to run some 
(fixed) protocol tt. There also is an adversary (denoted A and modeled as an 
ITM as well) carrying out attacks on protocol tt. Therefore, A may corrupt 
parties (in which case it learns the party’s current state and the contents of 
all its tapes, and controls its future actions), and intercept or, when assuming 
unauthenticated message transfer, also fake messages sent between parties. If A 
corrupts parties only before the actual protocol run of tt takes place, A is called 
non-adaptive, otherwise A is said to be adaptive. The respective local inputs 
for protocol tt are supplied by an environment machine (modeled as an ITM 
and denoted Z), which may also read all outputs locally made by the parties 
and communicate with the adversary. Here we will only deal with environments 
guaranteeing a polynomial (in the security parameter) number of total steps all 
participating ITMs run. For more discussion on this issue, cf. [HMQSOSb]. 

The model we have just described is called the real model of computation. 
In contrast to this, the ideal model of computation is defined just like the real 
model, with the following exceptions: we have an additional ITM called the ideal 
functionality T and being able to send messages to and receive messages from 
the parties privately (i. e., without the adversary being able to even intercept 
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these messages) . The ideal functionality may not be corrupted by the adversary, 
yet may send messages to and receive messages from it. Furthermore, the parties 
Pi, . . . ,Pn are replaced by dummy parties Pi , . . . , P„ which simply forward their 
respective inputs to P and take messages received from P as output. Finally, 
the adversary in the ideal model is called the simulator and denoted S. The only 
means of attack the simulator has in the ideal model are those of corrupting par- 
ties (which has the same effect as in the real model), delaying or even suppressing 
messages sent from P to a party, and all actions that are explicitly specified in 
P. However, S has no access to the contents of the messages sent from P to 
the dummy parties (except in the case the receiving party is corrupted) nor are 
there any messages actually sent between (uncorrupted) parties S could inter- 
cept. Intuitively, the ideal model of computation (or, more precisely, the ideal 
functionality P itself) should represent what we ideally expect a protocol to do. 
In fact, for a number of standard tasks, there are formulations as such ideal 
functionalities (see, e.g., [CanOl]). 

To decide whether or not a given protocol tt does what we would ideally 
expect some ideal functionality P to do, the framework of [CanOl] uses a simu- 
latahility-hased approach: at a time of its choice, Z may enter its halt state and 
leave output on its output tape. The random variable describing the first bit of 
Z’s output will be denoted by REAL,r,. 4 , 2 :(^, z) when Z is run on security param- 
eter fc G N and initial input 2 G {0, 1}* (which may, in case of a non-uniform 
Z, depend on k) in the real model of computation, and ideal^f 5 2 :(^) -z) when 
Z is run in the ideal model. Now if for any adversary A in the real model, there 
exists a simulator S in the ideal model such that for any environment Z and 
any initial input z, we have that 

|P(REAW,^,2:(fc, z) = 1) - P(lDEAL^,5,2(fc, z) = 1)| (1) 

is a negligible^ function in k, then protocol tt is said to securely realize func- 
tionality T ? Intuitively, this means that any attack carried out by adversary 
A in the real model can also be carried out in the idealized modeling with an 
ideal functionality by the simulator S (hence the name), such that no environ- 
ment is able to tell the difference. By definition, the trivial protocol which does 
not generate output realizes any ideal functionality securely. (The corresponding 
simulator just has to suppress delivery of messages from the ideal functionality 
to the parties.) To avoid such trivial realizations, we will only consider termi- 
nating protocols, which eventually generate output when all protocol messages 
in the real model are delivered. 

To allow for a modular protocol design, in [CanOl] also the P-hyhrid model 
of computation (for an arbitrary ideal functionality P) is introduced. Briefly, 
this model is identical to the real model of computation, but the parties have 
access to an unbounded number of instances of P, each one identified via a 

^ A function / : N ^ R is called negligible, if for any c € N, there is a fco G N such 
that |/(fc)| < k~‘^ for all k > ko- 

^ The formulation in [CanOl] is slightly different, but equivalent to the one chosen 
here which allows to simplify our presentation. 
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session identifier (SID). The modularity of the hybrid model is legitimated by 
the fundamental composition theorem of [CanOl]. Summarizing, it states that 
once protocol t securely realizes functionality T , in any protocol tt running in 
the .7^-hybrid model, a polynomial number of instances of T can be substituted 
by invocations of r without losing security. Specifically, for every real-life ad- 
versary A, there is a hybrid-model adversary "H such that no environment can 
tell whether it is interacting with A and tt (with iF-instances substituted by 
invocations of r) in the real model, or with 'H and tt in the .F-hybrid model. 

2.2 The Common Reference String Model 

To catch the notion of information publicly known to all protocol participants, 
the modeling of [CanOl] can be extended to give any participant (including the 
adversary) access to a common reference string, initially chosen from some dis- 
tribution D. This can be cast as the FcRS-hybrid model, where Fcrs denotes 
the ideal functionality that in its first activation chooses a value d from a distri- 
bution D (the latter over which Fqrs is parameterized). From this point on, it 
replies to any request from a party Pi or from the adversary with this value d. 

2.3 Collision-Ftee Hash Functions 

A family H = {Hk}k&n of functions Hk : {0, 1}* — >■ {0, 1}^ is called a family of 
collision-free hash functions, if the following requirements are met: 

~ There is a probabilistic algorithm A computing Hk in time polynomial in 
both k and input length. 

— There is no probabilistic algorithm B being able to find x,y £ {0, 1}* suf- 
ficing X ^ y and Hk{x) = Hk{y) in polynomial time with non-negligible 
probability. 

Using the argument in the proof of [Dam90, Lemma 2.1], one can derive a cer- 
tain one-way property: for a family of collision-free hash functions H. = {Hk} as 
above, there can be no probabilistic algorithm C which, on input y = Hk{x) £ 
{0, 1}^ for uniformly selected x £ {0, succeeds with non-negligible prob- 
ability to find x' £ {0, 1}^+^ sufficing H{x') = y in polynomial time. 

2.4 The Random Oracle Model 

The random oracle model (see, e.g., [BR93]) captures an idealization of a hash 
function. In particular, the idealized version allows only black-box access and 
cannot be “predicted” without explicitly evaluating it. Moreover, the function 
values are uniformly selected random fc-bit strings. Using the terminology just 
described, the random oracle model can be modeled in the setting of [CanOl] as 
the FRo-hybrid model for the ideal functionality Fro given in Figure 1. In the 
presence of more than one party. Fro cannot be realized securely without inter- 
party communication. (In this case, its very definition forces any protocol aimed 
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Functionality ^ro 

•^RO proceeds as follows, rnnning on security parameter k, with parties Pi, ... ,Pn 
and an adversary S. 

1- keeps a list L (which is initially empty) of pairs of bitstrings. 

2. Upon receiving a value (.sid,m) (with m G {0,1}*) from some party Pi or 
from iS, do: 

— If there is a pair (m, h) for some h G {0, 1}*^ in the list L, set h := h. 

— If there is no such pair, choose uniformly h G (0, 1}*^ and store the pair 
(m, h) in L. 

Once h is set, reply to the activating machine (i. e., either Pi or <S) with 
(sid,h). 



Fig. 1. Functionality .Fro 

at realizing Fro to behave like an “almost” deterministic function evaluation; 
yet such a — by construction easily computable and explicitly given — function can 
be distinguished easily from Fro, which chooses its return values completely at 
random in each run.) In particular, one cannot hope to securely realize Fro by, 
e. g., a family of collision-free hash functions. Below we will investigate possible 
consequences of such “imperfect” realizations of Fro . 



2.5 Security Notions for Commitments 

First a general remark: for any probabilistic algorithm A we write A(x] r) to 
indicate execution of A on input x G (0, 1}* and with explicitly supplied 
random coins r G {0,1}*. Now a non-interactive string commitment scheme 
C = (Cfc, Vfc}, indexed by a security parameter fc G N, is a family of polynomial- 
time (in both k and input length) algorithms C'k and Vk, where the Ck may be 
probabilistic. We mandate that Ck outputs a tuple {com, dec) of bitstrings com 
and dec on input m G {0, 1}*, while 14 generates output m G (0, 1}* U |_L} on 
input {com, dec). Furthermore, we require: 

1. (Meaningfulness.) Vk{Ck{m)) = m for all /e G N and m G (0, 1}*. 

2. (Hiding property.) For any m G {0, 1}*, let {com{m)} denote the distribution 
{com; {com, dec) Ck{m)}. We require that for arbitrary mi, m 2 G (0, 1}* 
with |mi| = |m 2 |, the distributions {com(TOi)} and |com(m 2 )} are compu- 
tationally indistinguishable. If any two such distributions are also indistin- 
guishable for computationally unbounded algorithms, we say that the scheme 
is unconditionally hiding. 

3. (Binding property.) There is no probabilistic, polynomial-time (in k) algo- 
rithm B which is able to produce with non-negligible probability (in k) a 
tuple {com,deci,dec 2 ) such that _L ^ Vk{com,deci) ^ Vk{com,dec 2 ) ^ -L. 
If this holds even for computationally unbounded B, then the scheme is said 
to be unconditionally binding. 
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It will be convenient to denote by com'^{m) (resp. dec^{m)) the first (resp., the 
second) component of C^’s output when run on input m; in particular, com^ 
and dec^ can be viewed as probabilistic algorithms. 

3 Commitment in the Random Oracle Model 

3.1 Motivation 

The common reference string model proved extremely useful for realizing general 
ideal functionalities: in [CLOS02], it is shown that almost any two-party ideal 
functionality T can be realized in the d^cRS~hybrid model, under the assumption 
that trapdoor permutations and augmented two-party non-committing encryp- 
tion protocols exist. It is also shown there that this result can be extended to 
the multi-party case when we additionally assume a broadcast channel avail- 
able (which can also be modeled as an ideal functionality). A key point in the 
constructions of [CLOS02] is the realization of the commitment functionality 
diucOM (see also Appendix A) in the iFcRS-hybrid model. Since IFmcom cannot 
be securely realized as a two-party computation in the real model (see [CFOl]), 
one must assume some “helper functionality” such as IFcrs available. Indeed, 
in [CF0I,DN02,CLOS02], several realizations of different commitment function- 
alities are described in the common reference string model. 

Let’s shortly recall which additional features the common reference string is 
to give us, when having in mind securely realizing, e.g., IFmcom (cf. also the 
discussion in [CLOS02, Section 5]). First, note that at a time one party initiates 
a commitment in the ideal model, the simulator S must be able to supply the 
environment Z with a valid commitment without knowing to which value Pi 
is actually committed. Furthermore, in case of a corrupted committer, S must 
be able to extract the committed bit out of a valid commitment. Since alone 
choosing the common reference string must enable the simulator do to so, the 
whole security of a commitment protocol formulated in the common reference 
string model relies on the fact that .?^CRS chooses the common reference string 
ideally and in a trusted manner. 

Moreover, once we assume “imperfect” implementations of the ideal function- 
ality .?XRS (he., publicly available random strings whose choice may somehow 
be influenced by an adversary), any protocol which realizes IFmcom in the IFcrs- 
hybrid model may get insecure in a fatal way: in the extreme case in which an 
adversary may freely choose the common reference string, it can generate “fake” 
commitments which it can later open as 0 or 1, as well as “look into” legitimately 
generated commitments at wish. Specifically, such imperfect common reference 
strings can damage the security of the general constructions in [CLOS02] in a 
serious way. That is, a protocol which is to realize some ideal functionality T 
using commitments loses not only its universal composability property, but also 
may lose security in a very “intuitive” way, since the underlying commitment 
scheme does so. 

One way to avoid this is to use another “helper functionality” . In this con- 
tribution we will present two constructions in the .T^pio-hybrid model where a 
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random oracle ^ro is available. The constructions of this work allow to turn 
a given non-interactive string commitment scheme into a non-interactive string 
commitment scheme in the .T^Ro-hybrid model which is universally composable. 
Moreover the constructions ensure the hiding and binding proprties even when 
the random oracles are replaced by arbitrary collision free hash functions. The 
second construction even preserves the property of perfect binding. In fact, when 
implementing the ideal commitment functionality via a hiding and uncondition- 
ally binding commitment scheme, the construction in [CLOS02] (formulated in 
the framework of [CanOl]) for realizing general ideal functionalities is essentially 
the one presented in [GMW87,Gol02] in the special case of a secure function 
evaluation. 

3.2 A Universally Composable Commitment Scheme 

First, let’s have a look at the abovementioned functionality .T^scom, which is 
derived from the functionality .T^mcom of [GLOS02] (the latter which is also given 
in Appendix A). A description of .T^scom is given in Figure 2. The commitment 
phase described is different than that of .T^mcom- This is to take into account the 
following attack, which is described for the case of key exchange in [HMQSOSa], 
and goes back to an argument of Damgard for the case of bit commitment. For 
this attack, one party Pi is invoked with input b by the environment. Then, before 
any messages are delivered, the environment instructs the adversary to corrupt 
Pi and to let it perform the protocol from the start, but using input b' yf b. In 
the ideal model, Pfs input b is already forwarded to IFmcom and can not be 
changed anymore, although Pi gets corrupted later on. On the other hand, in the 
real model, the bit committed to will be b' b, as Pi is “reset” when corrupted 
and no messages were delivered before. This allows for a “trivial” distinction of 
real and ideal model for any protocol aimed at realizing IFmcom! we solved this 
situation by a modified functionality IFscom which lets the adversary decide 
on the point in time when a commit input is accepted. An alternative to our 
formulation would be to change the framework to let the adversary also delay 
messages sent from parties to the ideal functionality. This approach was taken 
in [GLOS02, revision dated July 14th]. 

Notice that different commitments are handled via different subsession identi- 
fiers, each one of them handling at most one commitment per committer-receiver 
pair. Furthermore, .T^scom allows committing to a string of bits rather than only 
to a single bit. It is worthwhile to point out that no information (not even length 
information) about the string m committed to is given to the adversary. 

Now assume that C = {Ck,Vk} is a non-interactive string commitment 
scheme as described in Section 2.5. Gonsider protocol HC^ given in Figure 3. 
This protocol is formulated in the .?uro“hybrid model and aimed at realizing the 
ideal functionality IFscom- 

Proposition 1. Assuming authenticated links, protocol HCc securely realizes 
.^SCOM with respect to adaptive adversaries as soon as C = {Ck,Vk\ is a non- 
interactive string commitment scheme. 
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Functionality ^scom 

•^SCOM proceeds as follows, running with parties Pi, . . . , P„ and an adversary S: 

— Commit Phase: 

1. When receiving a message (.commit ,sid,ssid , Pi ,Pj ,m) from Pi, where 
m € {0,1}*, first send the message (request ,sid ,ssid, Pi ,Pj) to the 
adversary S and, if S then issues a corresponding ready message (see 
below), proceed to the third step. 

2. When receiving (ready ,sid,ssid, Pi ,Pj ,0 from the adversary, and at 
least I messages (commit , sid , ssid , Pi ,Pj ,m) (possibly with different m’s) 
have been received from Pi, perform the third step described below with 
the message m contained in the Ph of these messages. 

3. Record the tuple {ssid, Pi, Pj,m) and send (receipt , sid, ssid, Pi ,Pj) to 
Pj . Ignore any future commit messages with the same ssid from Pi to Pj . 

— Reveal Phase: Upon receiving a message (reveal, sid, ssid, Pj) from Pi: 
If a tuple {ssid. Pi, Pj ,m) was previously recorded, then send the message 
(reveal , sid, ssid. Pi ,Pj ,m) to Pj and S. Otherwise, ignore. 



Fig. 2. Functionality Pscom 



Proof. For any adversary H mounting attacks on protocol HCc in the IPro- 
hybrid model, we describe a simulator S = S-h emulating such attacks in the 
ideal model. S internally keeps a complete simulation of a run of "H in the Pro- 

fs) (s) 

hybrid model. That is, S keeps a simulation of parties P{ ' through Pn ' running 
protocol HCc, a simulation of H interacting with these parties, and (as needed) 
simulated instances of the ideal functionality Pro- Communication of "H with 
the environment is forwarded to the (non-simulated) environment Z with which 
S is to interact. Similarly, messages from Z to S are forwarded to the adversary 
"H in the simulation. 

Of course, S still needs to keep its simulation consistent with all inputs the 
dummy parties receive from Z; similarly, the output behaviour of the dummy 
parties has to be the same as that of the simulated parties. (Note that generally, 
S has no information about inputs and only existence information about outputs 
of the dummy parties, unless the ideal functionality explicitly informs S about 
incoming input, or about output sent to the parties.) Therefore, S acts as follows: 

(s') 

— When the simulated H corrupts a simulated party Pj , S first corrupts 
the corresponding dummy party Pi and modifies P1 "^’s state to account for 
ignored inputs possibly handed from Z to Pi. (Upon corruption of Pi, S gets 
to know about such messages when receiving the state of Pj.) 

— Upon receiving (receipt , sid, ssid , Pi ,Pj) from Pscom (in which case Pi 
and thus must be uncorrupted), S picks s € (0, 1}^ uniformly and com- 
putes comi ^ corn‘d {s',r 2 ) and coto 2 ^ com^ {Osid{i" 2 )',i"s) for a uniformly 
chosen r^, (here the simulated random oracle Pro is queried). Then, S sim- 
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Protocol HCc 

These are instructions for parties P\ through to carry out commitments. The 
parties expect to be run in the pRo-hybrid model. For ease of notation, here 
Osid(x) denotes the reply of the Pao-instance with session ID sid to the query x. 

— When activated with input {commit , sid ,ssid, Pi ,Pj ,m) , where m G { 0 , 1 }*, 
Pi computes {comi,deci) t— Ck{Osid{ssid,i,j,m,ri);r2) for a uniformly 
chosen fe-bit string ri. Note that by V2 G { 0 , 1 }*, we denote the random 
coins used by Ck during this process. Then, Pi computes {com2,dec2) <r- 
Ck{Osid{i'2)) and sends the message {sid ,ssid ,com\ ,com2) to Pj while stor- 
ing {ssid,j,m,n,r2,dec2)- Further {commit , sid ,ssid, Pi ,Pj ,■) inputs are ig- 
nored. 

— When receiving {sid, ssid, comi, com2) from Pi, where comi,com2 G { 0 , 1 }* 
and ssid is a subsession ID under which Pj did not yet get such a message 
from any party, Pj stores the pair {ssid,i, comi, com2) and locally outputs 
{receipt , sid, ssid, Pi ,Pj) . Any future messages {sid, ssid, com'i, 007712) with 
the same subsession ID ssid from Pi are ignored. 

— When activated on input {reveal , sid, ssid ,Pj) , party Pi checks if it has a 
tuple {ssid, j,m,ri,dec2) (for any 7 n,r\,dec 2 ) stored. If so. Pi sends the tu- 
ple {sid, ssid, 771 , ri,r2, dec2) to Pj. Further inputs {reveal, sid, ssid, Pj) are 
ignored. 

— When receiving {sid, ssid, 7 n,ri,r 2 ,dec 2 ) with m,dec2,ri,r2 G { 0 , 1 }* from 
Pi while already having received a value {sid, ssid, comi, 007712) also from 
Pi, Pj first computes 02 t— Vk{com2,dec2). Then, if 02 = Ogid{r2), Pj 
checks if com^ {Osid{ssid, i,j, m, ri); T2) equals comi. If so, Pj locally outputs 
{reveal , sid, ssid. Pi ,Pj ,m) and ignores all further {sid, ssid, .. .) messages. 
In any other case, Pj does nothing. 



Fig. 3 . Protocol HCc 



ulates a message {sid, ssid, 007711,007712) from to and stores this 
message together with r2, r^, and s. 

— When H delivers a message {sid, ssid, 007711,007712) from to Pj^\ and 
Pj did not yet get such a message with subsession ID ssid from Pj, S 

proceeds as follows: if P^-^^ (and hence Pj as well) is uncorrupted, S sends 
{ready , sid, ssid. Pi, Pj , 1 ) to PscOM, and delivers the receipt message 

(s) 

then sent from Pscom to Pj as soon as Pj outputs such a receipt message 
(i. e., immediately afterwards). 

If, on the other hand, p/^^ (and thus Pi) is corrupted, then first the message 
m committed to may have to be extracted from cotoi and 007712 which could 
have been supplied by Z without appropriate commit input. By looking 
up all queries to the simulated Pao-instance with session ID sid, we can 
reduce to a polynomial number of possible TO-ri-r2-combinations. Hence by 
verifying whether cotoi equals ootti^ {O sid{ssid, i,j, m, ri); 72), S can extract 
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m alone from comi , provided that the commitment can be unveiled according 
to HC and IFro did never output the same value twice. (Note that here we 
use the binding property of C.) In these latter cases, it suffices to set m 
to 0 (or any other value), since IFro produces collisions only in a negligible 
fraction of runs and commitments generated without explicitly querying the 
random oracle can be unveiled only with negligible probability. (Here it is 
important that since the subsession identifier sid and the party identities 
i and j are hashed together with m, hash values cannot be “re-used” in a 
different subsession.) 

Once m is determined, 5 sends (commit, sid, ssid, Pi, Pj ,m) in the name of 
the corrupted relay Pi to functionality IFscom, followed by a corresponding 
(rea.d.Y ,sid,ssid,Pi,Pj ,0 signal. Here i denotes the number of already 
received request notifications plus 1, and thus indicates that the message 
m just sent is to be committed to. This causes the ideal functionality to send 

is) 

a receipt message to Pj, which then can be delivered by S as soon as P^ 
generates output in the simulation. 

Upon receiving (Teveal,sid,ssid,Pi,Pj ,m) from IFscom (which means 
that Pi is still uncorrupted), S lets compute a commitment to m at 
Pj (under session ID sid and subsession ID ssid), but forces 

• the simulated Pro with session ID sid to output s when queried by 
Pi^'^ with {ssid,i, j,m,ri) (this is not possible when Pro was queried 
on {ssidji, j,m,ri) before; yet, since ri is chosen uniformly from {0, 1}^ 

by Pi^\ this only occurs with negligible probability) 

(s) 

• Pi to use the values T2 and rs which S stored together with the message 
{sid, ssid,j, comi, COTO2). 

Now 5 dismisses the actual commitment message sent from Pi to Pj 
(note that by construction, this message is exactly the message simulated 
by S) and modifies Pi^'^’s internal state so as to look as if this commit- 
ment had been performed exactly at the time the corresponding message 
{sid, ssid, comi, 001712) was simulated from to 

Finally, Pi is fed with input (reveal, sid, ssid, Pi ,Pj ,m) to reflect in the 
simulation the actual decommitment operation S was informed about. The 
reveal message sent from Pscom to Pj is delivered as soon as Pj^^ generates 
as output the corresponding reveal message. 

The same procedure is applied to all commitments Pi has not yet opened 
when Pj^^^ gets corrupted. (Note that then, S gets to know the corresponding 
messages committed to by receiving Pi's state.) 

(s) 

Finally, if Pj ' generates reveal output while uncorrupted, the correspond- 
ing dummy party Pj has to generate output as well. The steps above take 
care that this output is the same in the ideal model as in the simulation, ex- 
cept in a negligible fraction of runs. Particularly, S only needs to deliver the 
corresponding reveal message from Pscom to Pj when the corresponding 
committer Pi was uncorrupted at the time it got its reveal input. If, on the 
other hand. Pi was corrupted at that time, S must first supply Pscom with 
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the corresponding reveal input via the corrupted relay Pi. In this case, S 
has already extracted the message m needed for this reveal input either 
from Pi’s state (when Pi’s corruption took place after the delivery of the 
commitment), or, otherwise, from the actual commitment message delivered 
to Pj^'^ ■ (Here we use that except with negligible probability, there is no 
efficient way to unveil a commitment in more than one way; by construction 
of protocol HCc, this follows from the “collision- freeness” of IFro-) 

By construction, S provides Z with a view identical to one of a run in the hybrid 
model, until a reveal output of a party Pj differs from that of the respective 

(s) 

simulated party Pj . However, this can only happen when S is unable to extract 
a message out of a commitment sent from a corrupted committer P’ ' to an 
uncorrupted receiver PJ' ' , or when S cannot unveil a commitment generated by 
S itself. As reasoned above, the probability for any of these is only negligible, 
henceforth we are done. Note that we did not use the hiding property of C . □ 

For achieving universal composability, we had to incorporate subsession 
identifiers and the identities of committer and receiver into the message ac- 
tually committed to. To allow for statements independent of such protocol- 
inherent information, we drop that requirement on the format of the mes- 
sage and, to be able to formally view the protocol HCc as a non-interactive 
string commitment scheme, we set HCc = {Ck, Vfc}. Here algorithm Ck computes 
com ^ {com^{0{m,ri)]r2),com^{0{r2)',r3)) for uniformly chosen ri G { 0 , 1 }^ 
and random coins V2,r3 G { 0 , 1 }*, then dec G- (m, ri, r2, dec^( 0 (r 2 ); rs)) and 
returns (com, dec). On input (com, dec) of the form com = (comi,com2) and 
dec = (m,ri,r2,dec2), algorithm Vk computes 02 G- Vk(com2,dec2) and, if 
02 = 0 (t 2 ), checks whether comi equals Ck( 0 (m,ri);r 2 ). Only in this case 
Vfc returns m, otherwise it returns _L. 

As mentioned above, we would like to be able to deduce security properties of 
the scheme HCc even when having substituted all random oracles O by suitable 
hash functions. Let therefore hCc,h denote the scheme which is identical to HCc, 
except that all O-queries are replaced by evaluations of Hk, where % — {Pfc} is 
a family of collision-free hash functions as defined in the preliminaries. 

Proposition 2 . Once H = {Hk} is a family of collision-free hash functions 
and C = (C'fcjVfcj is a non-interactive string commitment scheme, the scheme 
HCc,w = {Cfc,Vfc| (as described above) is also a non-interactive string commit- 
ment scheme. Furthermore, if C is unconditionally hiding, then so is HCc,«. 

Proof. Meaningfulness, binding and hiding properties of HC = HCc,w need to 
be checked. The meaningfulness of HC follows directly from that of C. Fur- 
thermore, every algorithm B which supplies a HC-commitment together with 
two decommitments yielding different messages has to supply in particular a C- 
commitment together with two C-decommitments yielding messages Hk(m,ri), 
resp. Hk(m' , r'f). If both are equal, B has found a iLfc-collision (since m to' by 
assumption); if the hash values are different, then B breaks the binding property 
of C . In either case, we have shown the binding property of HC. 
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Now for the hiding property, consider the scheme HC' = which is 

identical to HC, except that the C-commitment to -fffc(^2) (where T2 denotes 
the random coins used in the C-commitment to i/fc(m,ri)) is replaced by a C- 
commitment to 0*. More formally, computes to {com! ^ dec') with com' •<— 

{com^{Hk{m,ri);r 2 ),com'j!{ 0 ^)) and dec' ^ (m,ri,r 2 ); the definition of is 
obvious. 

Let A be a probabilistic, polynomial-time algorithm which breaks the com- 
putational hiding property of HC. More specifically, say that there are messages 
mi, m 2 G {0,1}*, such that the difference 

Adv(A, HC, TOi, m 2 ) := P(A(comfc*^(mi)) — >■ 1) — P(A(com}?^(m 2 )) — >■ 1) 

is a non-negligible function in k. Assume first that 

Adv(A,Hc',mi,m2) := P(A(com^^ (’tti)) — >■ 1) — P{A{com^^ (^ 2 )) — >■ 1) 

is non-negligible in k as well. Since by construction, a C-commitment to a mes- 
sage Hk{m,ri) can be extended to an HC'-commitment to the message m with- 
out knowledge of m or ri, it follows that from A, we can build a probabilistic, 
polynomial-time algorithm Ai with 

P(Ai(comfc (iLfe(mi,ri)) 1)) - P(Ai(com^ (iLfe(m2, ri)) 1) 

non-negligible in k for a certain, fixed ri G {0, 1}^. Such an Ai would break the 
hiding property of C, thereby yielding a contradiction. 

On the other hand, suppose that Adv(A, HC', mi, m2) is negligible in k. As 
then. 



Adv(A, HC, mi, m2) — Adv(A, hc', mi, m2) 

= ^P(A(com}{‘^(mi)) — >■ 1) — P{A{com^^ (^i)) — >■ 1)) 

— [v {A{com}^'^ {m 2 )) — >■ 1) — P{A{com^'^ (^ 2 )) — >■ 1)^ 

is non-negligible, at least one of the addends on the right-hand side of the equa- 
tion must be as well. So say that P{A{com^'^{mi)) -G l) — P{A{com}^^ (’tti)) — >■ 
1) is non-negligible (with fixed i G {1,2}). Then there have to be certain, fixed 
ri,r 2 for which A can distinguish tuples {com^ {Hk{mi,ri);r 2 ),com'f{Hk{r 2 ))) 
from tuples {com^{Hk{mi,ri);r2),com'f{0’^)). Hence from A we can construct 
a probabilistic, polynomial-time algorithm A 2 with 

P{A2{com^{ffk{r2)) -G 1)) - P(A2(com^(0'=)) ^ 1) 

non-negligible in k, thereby breaking the hiding property of C. So in either case, 
we have a contradiction and there can be no such algorithm A; consequently, HC 
must be computationally hiding. As this reduction also applies to computation- 
ally unbounded algorithms A, a possible unconditional hiding property of C is 
preserved. □ 
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3.3 Preserving Unconditional Binding 

Although we have shown that the construction HCc,w preserves hiding and com- 
putational binding properties of C, this is not true for a potential unconditional 
binding property: Any algorithm breaking the collision-freeness of % can be used 
to generate HC-commitments together with multiple decommitments to different 
messages. (Note that with HC, we are actually committed only to the hash value 
of a message.) 

An unconditionally binding string commitment scheme cannot completely 
hide the length of the message committed to; to reflect this in an idealization, 
we define the ideal functionality IFbscom to be identical to IFscom (cf. Figure 2), 
except that IFbscom supplies the simulator S upon a commitment to a message 
m with the bit length \m\ of this message. This length information is included 
in the respective request message sent to the simulator. 

Let FA be the following probabilistic, polynomial-time (in both the security 
parameter k and its input length) algorithm, where "H = {Hk}k is a family of 
functions Hk : {0, 1}* — >■ {0, 1}* which in turn are computable in polynomial 
time. Upon input m = mi ■ ■ ■ mn G {0, 1}”, F-^i uniformly selects si, . . . , s„ G 
{0, 1}^ with each Sj satisfying SiHk{si) yf Hk{si)si and outputs 

Fn{m) = 7t(toi, si, iFfc(si)) • • • 7 t(to„, s„, iFfc(sn)), 

where 7r(0, s,t) = (s,t) and 7r(l,s,t) = (t,s) for arbitrary s,t G {0,1}*. Algo- 
rithm F-u will be used to encode a message in a (for the simulator) equivocable 
yet (for parties) binding way. To extract the encoded message, we will use the 
following polynomial-time computable function Fi^^. We set 

f 0 if r = FIk{l) and I yf Flk{r) 

F^^{m) = < 1 if r yf iFfc(l) and I = Hk{r) 

[ T else 

for m = Ir with l,r G {0,1}*. For m = m± ■■■mi with £ > 1 and all mi G 
{0, 1}^*, we define F^^{m) = Fi^^{mi) ■ ■ ■ F^^{mi). In all other cases, we set 
FA^(m) = T. 

Given a non-interactive string commitment scheme C, consider a protocol 
BHCc, whose “infrastructure” is identical to that of protocol HCc, but the com- 
mitment and decommitment messages differ slightly, as does the verification 
procedure. Protocol bhCc is described in Figure 4. 

Proposition 3. Assuming authenticated links, protocol bhCc securely realizes 
i^BscOM with respect to adaptive adversaries as soon as C = {Ck,Vk} is a non- 
interactive string commitment scheme. 

Proof. The proof is very similar to the one of Proposition 1, and we will only 
describe the necessary modifications to the simulator S. For generating an equiv- 
ocable commitment to a message of length £ (here we use the length information 
with which JFbscom supplies S upon commitment requests), S picks s G {0, 1}*, 
/ G {0,1}^^*, then generates C-commitments Ck{s,f',r 2 ) and Ck{Osid{r 2 )) and 
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Protocol BHCc 

These are instructions for parties Pi through P„ to carry out commitments in the 
•pRO-hybrid model. 

— When activated with input (.coimit , sid , ssid , Pi , Pj ,m) , where m G { 0 , 1 }*, 

Pi computes / <- and (comi,deci) -s- Ck{Osid{ssid,i,j,f),f-,r2). 

Then, Pi computes {com2,dec2) <— Ck{Osid{r2)) and sends the message 
{sid,ssid,com\ ,com2) to Pj while storing (ssid,j,f,r2,dec2)- Any further 
(commit ,sid,ssid, Pi ,Pj ,■) inputs are ignored. 

— When receiving [sid,ssid,comi, 001712) from Pi, where corai, 001712 G { 0 , 1 }* 
and ssid is a subsession ID under which Pj did not yet get such a message 
from any party, Pj stores the pair [ssid, i, 001711,007112) and locally outputs 
(receipt ,sid, ssid. Pi ,Pj) . Any future messages (sid, ssid, 001111, 001112) from 
Pi (with the same sid and ssid) are ignored. 

— When activated on input (reveal,sid,ssid,Pj) , Pi checks if it has stored a 
tuple {ssid,j,f, 72 ,deo 2 ) (for any f,deo2). If so. Pi sends {sid, ssid, f, deo2) to 
Pj. Any future inputs (reveal, sid, ssid, Pj) are ignored. 

— When receiving {sid, ssid, f, 72 ,de 02 ) with f,r2,dec2 G { 0 , 1 }* from Pi while 
already having received a value {sid, ssid, 001111,007712) also from Pi, party 
Pj hrst computes 02 Vk{oom2,deo2). Then, if 02 = Osid{r2), Pj checks if 
oonik {Osid{ssid, i, j, 711 , f), /; 72) equals comi and if m 7^ T for m Fn\f)- 
If so, Pj locally outputs (reveal, sid, ssid, Pi, Pj ,m) and ignores further 
{sid, ssid, . . .) messages. In any other case, Pj does nothing. 



Fig. 4. Protocol BHCc 

with these simulates a commitment as before. Later, when being forced to un- 
veil this commitment as a commitment to m G {0, 1}^, S lets the simulated 

(s) 

committer P) ' perform a commitment to m as before, but forces 

— to compute Fo^ij^{m) as the given / by altering P/^^’s random tape, 
resp. the random tape of Pro 

— the simulated Pro to output s when queried by p/*^ on {ssid,i,j,f). 

Again, this “tampering” with Pro is possible only if Pro was not queried on 
any of these values before. By the hiding property of C and the randomization 
of Fosidi this is guaranteed to occur only negligibly often. Note here also that 
both hash values s and / are valid for only one subsession (i. e., for one single 
commitment). 

The extraction of the message committed to from a commitment that was 
generated according to BHCc is straightforward; again, if a commitment was 
not generated as specified by BHCc, it can only be unveiled with negligible 
probability. With these changes, the proof of Proposition 1 applies. □ 

Once again, by dropping protocol-inherent information, protocol BHCc may for- 
mally be regarded as a non-interactive commitment scheme. Therefore, we set 
BHCc = {CfcjVfe}, where algorithm Ck computes / ^ Fo{m), then com ^ 
(com^(e>(/),/;r 2 ),com^(e>(r 2 );r 3 )) and dec ^ (/, r 2 , dec^(e>(r 2 ); ra)) for ran- 
dom coins 72, € {0,1}*, and finally returns {com, dec). On input {com, dec) 
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of the form com = (comi,com2) and dec = {f,r2,dec2}, algorithm Vk com- 
putes 02 Vk{com2,dec2) and, if 02 = 0{r2), checks whether comi equals 
Cfe(C’(/), /; ^2)). Only in this case Vk returns (/), otherwise it returns _L. 

As will be shown, bhCc preserves not only hiding properties of C, but also a 
possible unconditional binding property, albeit for the price of being less efficient 
than HCc and leaking information about the length \m\ of the message being 
committed to. 

Proposition 4 . Once H = {i^fc} is a family of collision-free hash functions for 
which F'ki is efficiently computable and C = {Ck,Vk} is a non-interactive string 
commitment scheme, the scheme bhCc,w = {Ck,Vk} (as described above) is also 
a non-interactive string commitment scheme. IfC is unconditionally hiding, then 
so is BnCcpi- If C is unconditionally binding, then so is bhCc_^. 

Proof. The meaningfulness of bhCc,w = bhc follows from that of C. The com- 
putational binding property of bhc follows as in the proof of Proposition 2 ; 
furthermore, as {F-ki{m)) = m for any %,m, the same argument shows that 
BHC is unconditionally binding if C is. Also for the hiding properties of bhc, the 
argument of the proof of Proposition 2 applies when we set bhc' = {C^, V^}. 
When being run on input m, algorithm computes the tuple (com', dec') with 
com' <- (com^(Hk(f),f;r2),com^(0^;r3)) and dec' ^ (f,r2) for / ^ Fu(m). 
The definition of is obvious. □ 



4 Conclusions 

In the model of [CanOl] bit commitment cannot be securely realized without 
additional assumptions, e. g. the availability of an additional functionality like 
a common reference string or, as proposed in this work, a random oracle. As 
a motivation for the use of random oracles we discussed difficulties which may 
arise when a common reference string functionality is replaced by a cryptographic 
primitive which is realizable from scratch. 

This contribution gave two constructions which allow to turn a given non- 
interactive bit commitment into a universally composable commitment scheme 
in the random oracle model. The resulting commitment schemes remain bind- 
ing and hiding even if the random oracles are replaced by collision resistant 
hash functions. The second construction even preserves the property of perfect 
binding. 

One referee pointed out that a separation of the random oracle model and the 
CRS model is a consequence of our result. Namely, [DG 03 ] showed that from the 
existence of a universally composable bit commitment in a CRS model, a secure 
key exchange protocol can be derived. However, in the random oracle model, we 
proved that a binding and concealing bit commitment can be transformed into a 
universally composable one. So if a random oracle could be implemented using a 
common reference string (drawn from a suitable distribution) , the existence of a 
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binding and concealing bit commitment alone would imply a secure key exchange 
protocol. (In fact, it seems that a universally composable bit commitment can be 
implemented in the random oracle model without any further assumptions, thus 
yielding a stronger separation.) On the other hand, implementing a common ref- 
erence string in the random oracle model can be — depending on the distribution 
of the reference string — non-trivial. 

It is an interesting open question how the constructions given here affect the 
non-malleability of a given commitment scheme. To the best of our knowledge it 
is not clear how relations among committed values behave with respect to the 
use of hash functions in the given constructions. 
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A The Functionality JFmcom 

For convenience, here we reproduce the description of the ideal functionality 
^MCOM from [CLOS02]: 

Functionality ^mcom 

•^MCOM proceeds as follows, running with parties Pi, . . . , and an adver- 
sary S: 

— Commit Phase: Upon receiving a message (coimit ,sid,ssid, Pi, Pj , 
b) from Pi, where b G {0, 1}, record the tuple {ssid, Pi, Pj ,b) and send 
the message (receipt ,sid, ssid , Pi ,Pj) to Pj and S. Ignore any future 
commit messages with the same ssid from Pi to Pj. 

— Reveal Phase: Upon receiving a message (reveal, sid, ssid) from Pf. 

If a tuple {ssid. Pi, Pj,b) was previously recorded, then send the message 
(reveal,sid,ssid,Pi,Pj ,b) to Pj and S. Otherwise, ignore. 





Transformation of Digital Signature Schemes 
into Designated Confirmer Signature Schemes 



Shafi Goldwasser^’^ and Erez Waisbard^ 



^ Department of Computer Science and Applied Mathematics, 
Weizmann Institute of Science, Rehovot 76100, Israel. 

{shafi ,waisbard}@wisdom. weizmann. ac . il 
^ Laboratory for Computer Science, Massachusetts Institute of Technology. 
Cambridge, MA 02139. 



Abstract. Since designated confirmer signature schemes were intro- 
duced by Chaum and formalized by Okamoto, a number of attempts 
have been made to design designated confirmer signature schemes which 
are efficient and at the same time provably secure under standard cryp- 
tographic assumptions. Yet, there has been a consistent gap in secu- 
rity claims and analysis between all generic theoretical proposals and 
any concrete implementation proposal one can envision using in prac- 
tice. In this paper we propose a modification of Okamoto’s definition 
of security which still captures security against chosen message attack, 
and yet enables the design of concrete and reasonably efficient desig- 
nated confirmer signature schemes which can be proved secure without 
resorting to random oracle assumptions as previously done. In particu- 
lar, we present simple transformations of the digital signature schemes 
of Cramer-Shoup, Goldwasser-Micali-Rivest and Gennaro-Halevi-Rabin 
into secure designated confirmer signature schemes. We prove security of 
the schemes obtained under the same security assumption made by the 
digital signature scheme transformed and an encryption scheme we use 
as a tool. 



1 Introduction 

Digital signatures introduced by Diffie and Heilman [7] are analogous to signa- 
tures in the paper world in the sense that a message that is being signed by the 
signer can later be verified by everyone else. Like in the paper world, a signer 
can not deny signing a document that carries his signature. There are real life 
scenarios, however, in which the signer wishes that the recipient of the signature 
would not be able to present the signature to other parties at will. 

For example, say a potential employer extends a job offer to a candidate 
employee including a salary figure. On one hand the employer does not want the 
employee to show the offer letter to a competitor to elicit a higher salary, and on 
the other hand the future employee wants to be assured that the offer is binding 
and can be held up in court. For such a setting we would have like to have a 
signature schemes in which: 
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• A court of law (or some other third party) is able (if called upon) to verify the 
authenticity of the signature. 

• No one, but the court of law, should be able to validate the authenticity of the 
signature (unless the signer steps in). 

• The signer should be able to convince the recipient of the signature that it is 
indeed authentic and can be validated by the court if necessary. 

The first attempt to address the issue of signatures that can not be verified 
by everyone was Undeniable Signature by Chaum [5]. Undeniable signatures can 
not be verified without the signer’s cooperation. The signer can either validate 
a signature or prove it invalid. The problem with this idea is that in any setting 
where the signer becomes unavailable (of which there may be many) nothing can 
be determined. 

A different idea called Designated Verifier Signature schemes was presented 
by Jakobsson, Sako and Impagliazzo [17]. A designated verifier signature is a 
signature that can only be validated by a single user, designated by the signer. 
Designated verifier signatures can used to authenticate the identity of the signer 
without having the ability to convince any third party of its validity. Its merit 
is also its weakness. There is indeed no way to force the signer to honor his 
signature. 

Designated Confirmer Signature scheme (DCS), introduced by Chaum [4], 
address both of the above problems. The parties in a DCS are the signer, the re- 
cipient of the signature (aka the verifier) and a designated confirmer. The idea of 
DCS is that during the process of signing, that involves the signer and recipient 
(as usual), a designated confirmer signature cr is generated. The recipient of the 
signature cannot convince anyone else of the validity of cr. Rather, the designated 
confirmer, given a, has the ability to verify it on his own as well as to convince 
anyone of its validity/invalidity. The designated confirmer remains completely 
passive, unless the signer becomes unavailable. In such case, the designated con- 
firmer can either convert the designated confirmer signature into an ordinary 
signature that can be validated by anyone, or engage in an interactive protocol 
with any verifier to confirm the validity of the signature. The confirmer is only 
semi-trusted in the sense that he can only extract /validate signatures for mes- 
sages which the signer designated him to. Perhaps the most natural candidate 
to act as a semi-trusted designated confirmer is a court of law. 

Going back to the job offer scenario, the employer would sign his offer using 
a DCS scheme, making the court of law the designated confirmer. Using DCS 
ensures that the candidate would not be able to convince other employers of the 
authenticity of the offer, and yet if the employer changes his mind (or becomes 
unavailable) the candidate can present a signed offer to the court of law and ask 
for compensation. 

A straightforward way to construct a designated confirmer signature scheme, 
using standard cryptographic primitives, such as public-key encryption scheme 
and digital signature schemes would be to first sign a message m using an or- 
dinary signature scheme and then encrypt the signature using the designated 
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confirmer public key^. The resulting ciphertext would serve as the designated 
confirmer signature a of m. Since the signature is encrypted, only the designated 
confirmer can be convinced of its validity. Moreover, the designated confirmer 
can easily extract an ordinary signature from it. One question remains, if the 
recipient cannot verify the validity of a on his own, how can he know that he 
indeed got a valid one? Zero-knowledge naturally comes to the rescue. In order 
for the recipient to be convinced of the validity of the DCS, the signer and recip- 
ient interact in a zero-knowledge proof in which the signer proves to the verifier 
that what he got is indeed an encryption of a verifiable ordinary signature of m. 
Since the last assertion is an NP statement, there exist general protocols that 
achieve this. 

The above construction is straight forward and can be easily proved secure. 
The main problem is that we do not know of efficient zero-knowledge proofs 
for the assertion that the cleartext corresponding to a given ciphertext contains 
a valid (or invalid) signature of a given document. Proving such statements 
using general zero-knowledge proofs for NP involve the reduction step to an NP- 
complete language which makes them unusable in practice. Several works on 
DCS attempted to remedy the situation and come up with efficient direct DCS 
constructions. In doing so they either resort to the random oracle assumption 
for proving security or make no formal claims of security, and thus all trade 
efficiency with proofs of security in the standard model. We summarize the state 
of the art in section 1.2. 

The goal of the current paper is to present DCS schemes with proofs of 
security in the standard model which do not involve the inefficient step of using 
general zero-knowledge proofs for proving the validity of signatures. 

Our approach in achieving this goal is to modify the original definition of 
security for DCS due to Okamoto [19] to not require zero-knowledge proofs for 
validity assertions, and then show efficient constructions of DCS schemes which 
satisfy the new security definition. 

We note that an alternative approach toward the same goal would be to con- 
struct custom made - tailored to a particular encryption scheme and a particular 
digital signature scheme - efficient zero-knowledge proofs for the assertion that 
the cleartext corresponding to a given ciphertext contains a valid (or invalid) 
signature of a given document. Indeed, utilizing the Cramer-Shoup CCA2 se- 
cure public key encryption scheme in some of the confirmation and disavowal 
protocols proposed in [2] translates to proving statements concerning the equal- 
ity (and inequality) of discrete logarithms in zero-knowledge. A recent article 
of Camenisch and Shoup [3] shows ingenious while somewhat complex ways to 
accomplish this directly without resorting to general zero-knowledge protocols. 



^ All that is required from a designated confirmer in the signing stage is to have a 
known public key. Other than that the designated confirmer does not need to be 
aware that his key is used. 
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1.1 New Results 

We propose a new definition of DCS, modifying the original definitions of 
Okamoto [19] and Camernish and Michels [2] in several ways. The most impor- 
tant modification is to remove the requirement that the confirmation protocols 
between signer and verifier and confirmer and verifier confirming that a desig- 
nated confirmer signature is valid must be zero-knowledge^. We instead only 
require that the resulting scheme is existentially unforgeable in the presence of 
chosen message attack. We stress that a forgery in this context is the ability of 
anyone but the legal signer to convince a verifier of knowledge of a valid signa- 
ture of any message. This includes also those messages which have already been 
signed by the legal signer. Naturally, in the latter case of messages which already 
have been signed, also the designated confirmer can convince a verifier of the 
knowledge of valid signatures for these messages, but for no other message. 

We give a general transformation that takes any standard digital signature 
scheme and a public key encryption scheme and turns them into a designated 
confirmer signature scheme. We prove that if the originating signature scheme is 
existentially unforgeable under chosen message attack and the public key encryp- 
tion is secure against CCA2, then the resulting designated confirmer signature 
scheme is provably secure according to the new definition under the same as- 
sumptions made by the digital signature scheme and the encryption scheme. 

The main tool our general transformation uses is strong witness hiding proofs 
of knowledge (SWHPOK). Witness hiding proofs of knowledge(WHPOK) for 
polynomial time verifiable relations R as defined originally by [9] , only guarantee 
that on input x all witnesses w s.t. (x, w) G R remains hidden. SWHOPK require 
the additional property that on input x the protocol does not reveal witnesses 
w' for any other inputs x' yf x. Notably, the general WHPOK protocols for 
polynomial time verifiable relations [14,9] which exist if one way permutations 
exist, are already SWHPOK. 

Having removed the requirement that the signing and confirmation protocols 
are zero-knowledge enables using SWHPOK protocols for this purpose instead. 
The witness in question is a standard digital signature of a message in the sense of 
[16]. We remark that witness hiding proofs (even strong ones) are in general easier 
to design than zero-knowledge proofs. Moreover, for a large class of concrete 
digital signature schemes - including Cramer-Shoup signatures [6], Goldwasser- 
Micali-Rivest signatures [16] and the Gennaro-Halevi-Rabin signatures [15] - we 
give simple and direct strong witness hiding proofs of knowledge of a signature for 
the scheme at hand. Thus, for these digital signature schemes, we give concrete 
designated confirmer signature schemes which are proved secure under the same 

^ An important implication of removing the indistinguishability security requirement, 
is that [19] proved that designated confirmer signature scheme and public- key en- 
cryption are equivalent. The way Okamoto proved that designated confirmer signa- 
ture imply public key encryption was based on the indistinguishability between a 
designated confirmer signature of a message m and a fake signature. He used a valid 
signature to encrypt the bit 0 and a fake signature to sign the bit 1. Clearly, after 
modifying the security requirement, this proof no longer holds. 
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cryptographic assumption the original signature scheme was based on and the 
existence of a CCA2 secure public key encryption scheme. 

The second tool our transformation uses is to take a strong witness hiding 
proof of knowledge of a signature and modify it so as in the process of proving 
this knowledge the signer also ’’encrypts” the signature in the confirmer public 
key so that the confirmer can later ’’decrypt” and extract the signature. We prove 
that if the verifier accepts the proof of knowledge, then with high probability 
the confirmer will be able to extract the signature from the transcript between 
signer and verifier. We call this modification of a strong witness hiding proof of 
knowledge encrypted strong witness hiding proof of knowledge. The designated 
confirmer signature of a message is defined to be this transcript of encrypted 
proof of knowledge. We use the ideas of Camenisch and Damgard [1] in their work 
on verifiable encryption to get encrypted witness hiding proofs of knowledge.^ 

Putting the above ideas together it is straight forward to get a DCS construc- 
tion from an standard digital signature scheme. For a message m, the signer first 
produces an ordinary signature of m, denoted cr(m). Next, the signer and verifier 
engage in a encrypted strong witness hiding proof of knowledge of a{m). If the 
verifier accepts, the transcript of the interaction can be stored by the verifier 
as the designated confirmer signature of m. Presented with the transcript, the 
confirmer can extract cr(m) from it, and prove knowledge of a(m) using a strong 
witness hiding proof of knowledge thus confirming the validity of the designated 
confirmer signature. 

Lastly, we note that unlike the SWHPOK protocols for signing and confir- 
mation of validity of a designated confirmer signature, we still advocate and use 
in our general transformation a zero-knowledge proof for the invalidity of a 
designated confirmer signature - a so called Disavowal protocol. This is natu- 
ral, as when a' is an invalid designated confirmer signature, there is no witness 
to speak of whose secrecy one needs to protect! We argue this has little effect 
on the overall efficiency of the scheme as we expect to rarely use Disavowal. 
Whereas in undeniable signature schemes proving the invalidity of a signature 
via a Disavowal protocol had a crucial role, since it was up to the signer to 
either confirm or disavow an alleged signature and refusal to disavow could be 
interpreted as confirming it, this is no longer the case in DCS schemes. The 
need for disavowal protocol in a DCS scheme arises only when a cheating verifier 
claims an invalid designated confirmer signature a' is indeed valid. Since the 
verifier cannot convince anyone of the signature’s validity without the help of 
the designated confirmer, it usually suffice that the designated confirmer will say 

® [1] propose an elegant technique of modifying any 3-round honest verifier zero- 
knowledge proofs for a relation R so that at the end of the protocol the verifier 
will be guaranteed with high probability to hold a semantically secure encryption of 
witness w for a given x where (w, x) € R . They showed relevance of this idea to 
group signatures, signature sharing, and fair exchange of signatures. We note that 
we apply the [1] transformation to strong witness hiding proofs rather than to zero- 
knowledge proofs, and thus can not use the claims they prove about the resulting 
encryption being semantically secure. Still, the resulting protocol can be shown to 
work in our context as well. 
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that the verifier is cheating. The need for disavowal protocol may of course arise 
in the case where the cheating verifier is charged by the law and a proof of his 
blame needs to be presented. We expect this to rarely occur. 

1.2 Related Work 

Soon after Chaum introduced the notion of DCS [4], Okamoto presented a formal 
model and definition of security of DCS and proved (constructively) that secure 
designated confirmer signature schemes are equivalent to secure public-key en- 
cryption [19]. In a nutshell, his definition requires zero-knowledge confirmation 
protocols of the validity of the signature (or disavowal of its validity) as a way of 
ensuring non-transferability of the ability to validate a signature. In addition to 
theoretical results, Okamoto also gives two concrete practical schemes without 
an argument nor claim of security. Indeed, [18] showed that one of Okamoto’s 
schemes enables the designated confirmer to universally forge signatures. 

Michels and Stadler [18] suggest how to use a tool called designated confirmer 
commitments to construct designated confirmer signature scheme starting from 
any Fiat-Shamir like signature scheme [11] The resulting DCS schemes can be 
proved secure only in the random oracle model, inheriting this property from 
the use of the Fiat-Shamir paradigm for constructing signatures. Another DCS 
scheme suggested in [18] is based on deterministic RSA signatures which are 
existentially forgeable and thus again, unless one resorts to the use of the ’’hash 
then sign” techniques which are provably secure in the random oracle model. [2] 
point out attacks on previous DCS schemes (including [18]) when several signers 
share the same confirmer. They strengthen the DCS security requirements of 
[19] to address these problems, and show the existence of a secure DCS (under 
the new definition) using general tools of existentially unforgeable digital sig- 
natures schemes, CCA2 secure encryption schemes, and general concurrent ZK 
protocols for NP statements. For this definition [2] propose concrete implemen- 
tations of DCS based on either deterministic RSA signatures (or Fiat-Shamir 
like signatures) whose security again is provable in the random oracle model. 
Some of the confirmation and disavowal protocols proposed in [2] when using 
the Cramer-Shoup public encryption function as the underlying CCA2 secure 
encryption amount to proving statements concerning the equality (and inequal- 
ity) of discrete logarithms in zero-knowledge. A recent article of Camenisch and 
Shoup [3] shows direct ways to accomplish this. 

2 New Definition for a DCS 

2.1 Informal Outline of the Definition 

The model consists of three players: signer S, verifier V and designated con- 
firmer C . Throughout, all parties receive as input the public keys of the signer 
and of the designated confirmer, denoted by PKs and PKc- The signer has an 
auxiliary secret input, denoted SKg and the confirmer has an auxiliary secret 
input, denoted SKc- 
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A pair of important algorithms with respect to which validity of a designated 
confirmer signature is defined are Extract and Verify. On inputs a message m, 
a designated confirmer signature a, PKg, PK^, and SK,,, algorithm Extract ei- 
ther outputs fail or a string cr* , which can be publicly verified as a valid ordinary 
digital signature of m with respect to PKgi&s defined in [16]) by running the 
verification algorithm Verify. In essence, Extract turns a designated confirmer 
signature that can be verified only by a confirmer into an ordinary digital sig- 
nature that can be validated by anyone. 

The definition also calls for the existence of three main interactive protocols: 

ConfirmedSign: a protocol between the signer and a verifier on a common 
input message m, which produces as output either an accept or reject vote by 
the verifier along with a string a referred to as the designated confirmer sig- 
nature of m. If the verifier accept then the string a should be a valid designated 
confirmer signature, that is one that can be transformed to an ordinary digital 
signature using the Extract algorithm. Here the verifier is the recipient of the 
designated confirmer signature that needs to be convinced of its validity. 

By combining the signing process along with the confirmation process we 
deviate from the definition of [19,18,2]. We argue that this is a natural modifi- 
cation, as the recipient of a DCS always needs to be convinced of the validity of 
the DCS, thus in practice, the two actions are always performed together. 

Conf: a protocol between the confirmer and a verifier on common input 
a message m and a designated confirmer signature cr, at the end of which the 
verifier either accept or reject ct as a valid designated confirmer signature of m. 
If CT is a valid designated confirmer signature (i.e. one from which the Extract 
algorithm can output an ordinary valid signature of m) then the confirmer should 
be able to convince the verifier of its validity. Here the verifier can be any party 
that needs to be convinced of the validity of the DCS. 

Disavowal: a protocol between the confirmer and verifier on common input 
a message m and a designated confirmer signature cr, at the end of which the 
verifier either accepts or rejects a as an invalid designated confirmer signature 
of m (where an invalid designated signature a is one for which Extract outputs 
fail). As in Conf, the verifier can be any party that needs to be convinced of 
the validity of the DCS. 

The security requirements we make fall into two categories: security for 
signers and security for the confirmer. 



1. Security for the signer: For any message m not previously signed, no one, 

except for the legal signer can 

a) Run ConfirmedSign{m, • • •) in the role of the prover, successfully with 
non-negligible probability. 

b) Produce a publicly verifiable ordinary signature a* of m with respect to 
the signer’s public signing key (i.e. Verify{,PKg,m,a*) = valid). 

c) Produce a designated confirmer signature cr for m which the legal desig- 
nated confirmer will confirm as valid with non-negligible probability. 
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For any previously signed message m, no one, except for the legal signer and 
the legal designated confirmer, can do la, lb as above. ^ 

2. Security for the confirmer: No one but the legal signer S and designated 
confirmer C, including any coalition of signers {5j} where all Sj yf S shar- 
ing the same confirmer, can confirm a designated confirmer signature for a 
message previously signed with respect to SKg. 

2.2 Formal Definition 

In the coming definition, negl(k) denotes any function which grows slower than 
^ for all c for all k sufficiently large. 

Definition 1 A secure designated confirmer signature scheme consists of the 
following components: 

1. Key Generation Algorithms (Gs,Gc): Gc is a probabilistic polynomial 
time algorithm that on input 1" (where n is the security parameter), outputs 
a pair of strings {SKc, PKc) (the designated confirmer’s private and public 
key respectively). Gg is a probabilistic polynomial time algorithm that on 
input 1”, outputs a pair of strings (SKg, PKg) (the signer’s private and 
public key respectively) . 

2. Signature Extraction: A pair of polynomial time algorithms 
{Extract, Verify) such that Extract on inputs m,a, PKg, PK^ and SKf, 
returns a string a* and Verify on input PKg,m and a* outputs valid or 
invalid. If Verify{PKg,m,a*) = valid, where 

a* = Extract{m,a, PKg, PKc, SKc), then we say that the Extract algo- 
rithm was successful and a* is a valid ordinary signature of m with respect 
to PKg. 

3. GonfirmedSign: An interactive protocol referred to as 

ConfirmedSign(s,v) between interactive probabilistic polynomial time 
algorithms (ITM) S and V which on common inputs {m, PKg, PKc) outputs 
a pair {b,a) where b € {accept, reject} and a is refereed to as the designated 
confirmer signature of a signer S on message m. The requirements from 
GonfirmedSign are: 3 V such that 

a) completeness: 3 S (with auxiliary input SKg), such that 
V {PKs, SKs) G Gs and {PKc, SKc) G Gc, V m, 
GonfirmedSign(s,v){'<~n,PKg,PKc) outputs {accept, a) such that 
Verify{PKg,m, Extract{m,a, PKs, PKc, SKc)) = valid. 

b) Soundness: V probabilistic polynomial time S' with auxiliary in- 
put^ y,\/ m Pr[GonfirmedSign(^s',v){^TPKs-PKc) outputs {accept, a) 

^ Ordinary signature schemes are secure if a forger cannot produce a signature on a 
message that has not been signed before. It is not required that a forger would not 
be able to produce a different signature on previously signed messages. Similarly, for 
a designated confirmer signature scheme, we do not require (in part 6 of Def 1) that 
it is infeasible for a forger F to produce new valid designated confirmer signatures 
for messages previously signed. 

® This y captures the possible history, available to attackers, of interaction with Sign- 
ers, Confirmers and Verifiers. 
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such that Verify{PKs,m,Extract{m,a,PKs,PKc,SKc)) ^ valid] < 
negl{n) 

The probability is taken over all possible coins of the key generation al- 
gorithms GsjGc and algorithms S', V, and Extract. 

4- Confirmation An interactive protocol referred to as Gonf(c,v) between in- 
teractive probabilistic polynomial time algorithms (ITM) G and V which on 
common inputs {m,a, PKg, PKc) outputs b € {accept, reject}. The require- 
ments from Gonf are: 3 V such that 

a) Completeness: 3 G (with auxiliary input SKc), such that 

V {PKs, SKs) G Gs and {PK^, SK^) G G^, V m, if 
Verify{PKs,m,Extract{m,a,PKs,PKc,SKc) = valid 
then Gonfi^c,v){'^T'^i PKs, PKc) outputs accept 

b) Soundness: V probabilistic polynomial time G' (with auxiliary input y) 
if Verify{PKg, m, Extract{m, a, PKg, PKc, SKc) ^ valid 

then Pr{Gonfirm(c' PKs, PKc) outputs accept) < negl{n) 

The probability is taken over all possible coins of G' , V , Extract and the 
key generation algorithms Gs and Gc. 

5. Disavowal An interactive protocol referred to as Disvowal(^c,v) between in- 
teractive probabilistic polynomial time algorithms (ITM) G and V which on 
common inputs {m,a, PKg, PKc) outputs b G {accept,reject}, The require- 
ments from Disvowal are: 3 V such that 

a) Completeness: 3 G (with auxiliary input SKc), such that 

V {PKs, SKs) G Gs and {PKc, SKc) G Gc, V m, if 
Verify{PKs,m, Extract{m,a, PKs, PKc, SKc) ^ valid, 
then Disvowal(^c,v){'>TT'j^i PP^s, PKc) outputs accept 

b) Soundness: V probabilistic polynomial-time G' (with auxiliary input y), 
if Verify{PKs, m, Extract{m, a, PKs, PKc, SKc)) = valid 

then Pr{Disvowal(^c',v){'nT'^ PKs, PKc) outputs accept) < negl{n) 

The probability is taken over all possible coins of G' , V , Extract and the 
key generation algorithms Gs and Gc. 

6. We say that a designated confirmer signature scheme is secure if it meets 
the following requirements: 

a) Let E be a probabilistic polynomial time forging algorithm which, 
on input strings PKs, PKc can first request the execution of 
ConfirmedSign^s.F), Gonf(c,F) o.nd Disvowal(c,F) for polynomially 
many adaptively chosen inputs of its choice; and then attempts to run 
the GonfirmedSign protocol on m of its choice in the role of the prover. 
We require that for all such P and m 

Pr{GonfirmedSign;Fy){V',m,PKs,PKc) = {accept, a)) < negl{n) 

The probability is taken over all possible coins used by F, S, G, V and 
the key generation algorithms Gs and Gc. 
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b) Let F be a probabilistic polynomial time forging algorithm which, on in- 
put strings 1”, PKg, PK^, can first request the execution of 
ConfirmedSign(^S,F)> Conf(^c,F) o,nd Disvowal(^c,F) for polynomially 
many adaptively chosen inputs of its choice; and then outputs a pair 

We require that for all such F and m, 

Pr{Verify{PKs,m,a*) = valid) < negl{n) 

The probability is taken over all possible coins used by F, S, C , V and 
the key generation algorithms Gs and Gc 

c) Let F be a probabilistic polynomial time forging algorithm which, on 

input strings 1", PKg, PKc, and SKc, can first request the execution of 
ConfirmedSign;s,F) for polynomially many adaptively chosen messages 
{mi}, as well as request the execution of Gonf;c,F) ond Disvowal;c,F) 
for polynomially many adaptively chosen inputs; and then outputs a 
pair We require that for all such F and for message m ^ {mi} 

(i.e not previously signed) 

Pr{Gonf;c,v){^^ j PKf) = accept) < negl{n) 

The probability is taken over all possible coins used by F, S, G, V and 
the key generation algorithms Gs and Gc-^ 

d) Security for designated confirmers: Let A be a probabilistic polyno- 
mial time attacking algorithm which, on input strings W,PKs,PKc can 
request the execution of ConfirmedSign(^s,A)^ Conf;c,A) o,nd 
Disvowal(c,A) for polynomially many inputs of his choice and finally, for 
a pair {m,a} of his choice, A executes Gonf;A,v){P'i'<~n,(7,PKs,PKc). 
For all such A 

Pr{Gonf(A,v){P^ ,m,a,PKs,PKc) = accept) < negl{n) 

The probability is taken over all possible coins used by A, S, G , V and 
the key generation algorithms Gs and Gc- 

Moreover, this should hold when many signers share the same confirmer. 
Meaning, when A knows polynomially many SKs^ such that 
SKs, + SKs- 



3 Tools 

Our transformation uses several tools, including ordinary digital signatures se- 
cure against adaptive chosen message attack as defined in [16], public key en- 
cryption secure against adaptive chosen ciphertext attack(CCA2) as defined in 

® Note that this requirement also implies that with high probability even the desig- 
nated confirmer C can not run successfully ConfirmedSign(^p^v) protocol on mes- 
sages not previously signed, nor produce a valid ordinary signature of a message not 
previously signed. 
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[8], canonical strong witness hiding proofs of knowledge defined in subsection 3.1, 
and encrypted strong witness hiding proofs of knowledge defined in subsection 

3.2. 

3.1 Strong Witness Hiding Proofs of Knowledge 

Witness Hiding proof of knowledge (WHPOK) were defined by Feige and Shamir 
in [10] as follows. 

Let i? be a polynomial time relation. Namely, there exists a polynomial p 
and a polynomial time computable function / such that 

R = {(x, w) such that f{x, w) = 1, |w| < p(|x|)} 

Let w{x) denote the set of w such that {x,w) G R. 

Definition 2 ([10]) .• We say that G is a instance generator for relation R if 
on input 1" it produces instances (x, w) € R of length n. We say that G is a hard 
instance generator if for any polynomial time witness finding F, P[{x, F{x)) G 
R] < negl{n), where x G G(l"). The probability is taken over the coin tosses of 
G and F. 



Definition 3 ([10]) .• Let (P,V) be a proof of knowledge (POK) system for 
relation R and let G be a hard instance generator for R. We say that (P, V) is 
witness hiding proof of knowledge (WHPOK) on (R,G) if for any probabilistic 
polynomial time V there exist an expected polynomial time witness extractor M , 
P[{P{w),V'){x) G ■u;(x)] < P[M{x) G w(x)] + negl{n) where x G G(l”). The 
probability is taken over the distribution of the inputs chosen by G and witnesses 
as well as the random tosses of P,V' M. 

In our context, the relation R we shall be interested in will be the pairs 
of a message and a valid ordinary digital signature of message, for some given 
ordinary digital signature scheme which is secure against chosen message attack. 
As such, we shall need to deviate from the original definition of WHPOK in a 
few aspects. First, for a secure digital signature scheme as defined by [16] it is 
impossible to find a single valid (message, signature) pair in polynomial time 
for messages not previously signed. Thus, our proofs of knowledge should be 
witness hiding for any polynomial time distribution over R. Second, we require 
the proof of knowledge to remain witness hiding, even the verifier chooses the 
input message to run the protocol on after it participated in many executions 
of the protocol on different input messages which were chosen adaptively by the 
verifier himself. We call the modified definition strong witness hiding proofs of 
knowledge (SWHPOK). 

Definition 4 Let (P,V) be a proof of knowledge (POK) system for relation R. 
We say that (P, V) is strong witness hiding (SWH) on R if for any probabilistic 
polynomial time V who can in a preliminary stage choose (adaptively) polynomi- 
ally many Xi and run (P(wi),V')(xi), and only later choose a challenge x yf Xi, 
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there exist a witness extractor M which runs in expected polynomial time such 
that P[{P{w),V'){x) G w(x)] < P[M{x) G w(cc)] +negl{n). The probability is 
taken over the distribution of witnesses as well as random coin tosses ofP,V',G 
and M . 

Finally, in order to be able to apply the technique of Camenisch and Damgard 
[1] of encrypted witness hiding proofs of knowledge, we require that our protocols 
will be of canonical form defined as follows. 

Definition 5 A Canonical witness hiding proof of knowledge for a boolean re- 
lation R C {0, 1}* X {0, 1}* is a three-move SWHPOK for R which is defined 
by three probabilistic procedures (Pi, P3, Verdict), satisfying the following condi- 
tions: 

1. On common input x and an auxiliary input w, P ’s first step uses Pi to compute 
the first message to be sent t and some side information r. At the second step the 
verifier sends a random bit string c as a challenge. At the third step the prover 
uses X, w, r and c as input to P3 to compute a response s, which he sends to 
the verifier. In the forth step the verifier uses the predicate Verdict taking x, t, c 
and s as inputs to check whether s is a valid response. A triple {t, c, s), such that 
Verdict{x,t,c, s) accepts is called an accepting triple for x. 

2. The number of possible challenges that can be sent by the verifier is polynomial 
in the security parameter. 

3. There exist a knowledge extractor that can extract the witness from knowing 
the answer to all possible challenges. 

Note that we have added the requirement of being strong WH into what we call 
a canonical WHPOK. Also, note that there is no requirement above of having 
negligible soundness probability. Indeed in all the canonical WHPOK that on 
which we perform transformations in this paper, the challenge of the verifier is 
a single bit which yields an overall soundness probability of ^ . 

3.2 Encrypted Strong Witness Hiding Proofs of Knowledge of a 
Signature 

An important tool used by the construction is called a encrypted strong witness 
hiding proof of knowledge. The idea is as in [1] where they apply the technique 
to zero-knowledge protocols. 

Start with any signature scheme existentially unforgeable under adaptive 
chosen message attack S = {SG, Sign, Verify) where SG is the key generation 
algorithm, and Sign (and Verify) are the signing (and verifying) algorithms. 
Define the relation 

Rs = {{{PKs,m),a) : Verify{PKs,m, a) = valid, (PKs,SKs) G 5G'(l'')} 

Assume you are given, for simplicity of exposition, a canonical strong WH- 
POK for relation Rs defined by three probabilistic algorithms {Pi, P 2 , Verdict) 
where the number of possible challenges of the verifier is two and the soundness 
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probability is | ( in general the construction works for any polynomial number 
of challenges). 

Canonical witness hiding proof of knowledge for Rs'- 

Common input to both prover and verifier is {PKs,m). Auxiliary input to the 

prover is a, such that {{PKs,m),a) G Rs- 

1. The prover computes (t,r) = Pi{{PKs,m),a) and sends t to the verifier. 

2. The verifier selects b G/j {0, 1} and send it to the prover. 

3. The prover calculates s = P^{{PKs, m), a, r, b) and sends it to the verifier. 

4. The verifier accepts if Verdict{{PKg,m),t,b, s) = 1, otherwise he rejects. 

Now, let Enc = {EG, E, D) be a given a CCA2 secure public key encryption 
scheme. In our context, the public encryption key (and corresponding secret 
decryption key) will be of the designated confirmer C and we denote them by 
PKc (and SKc respectively). The above protocol is turned into an encrypted 
witness hiding proof of knowledge for R^ as follows. 

Encrypted canonical witness hiding proof of knowledge for R^'- 
Common input to both prover and verifier is m, PK^, PKc- Auxiliary input to 
the prover is a such that {{PKs,m),a) G Rs- 

1. The prover computes (t,r) = Pi{{PKs,ni),a), sq = P3 ((Pit's, to), cr, r, 0) and 
Si = P^{{PKs,m),(j,r,\)-, encrypts Sq and Si, using the designated confirmer’s 
public key to obtains cq G Epk^sq) and ei G Epk^si). Then, the prover sends 
(t, eo, ei) to the verifier. 

2. The verifier selects 6 Gk {0, 1} and sends it to the prover. 

3. The prover reveals Sf, and the random coins rj, that were used in the encryption. 

4. If EpK,,{sb,rb) = Cb and Verdict{{PKs,m),t,b, Sb) = 1, the verifier accepts, 
otherwise he rejects. 

Essentially, in this protocol at the first round the prover sends an encrypted 
answer to both possible challenges one of which will be decrypted on the third 
round. 

Running this basic protocol k times in sequence decreases the probability of 
cheating to but costs a possibly prohibitive 3k rounds. To reduce the the 
number of rounds to constant maintaining negligible probability of error, we can 
employ ideas similar to Goldreich-Kahan[13]^ or utilize a trapdoor commitment 
scheme as suggested in [1]. 



^ Recalling, the idea of [13], is to simply add an initial round in which the verifier 
commits to all his challenges in advance 61 , • • • bfc, followed by k parallel executions 
of the above 3-round protocol with the modification that the verifier decommits its 
challenges bi, - ■ ■ ,bk in step (2) rather than simply sending them in the clear. This 
transformation maintains the SWH property. 
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Theorem 6 The modified protocol remains a canonical (strong) witness hiding 
proof of knowledge for the relation Rs 

4 A General Construction of Designated Confirmer 
Signature 

Let S = {SG, Sign, Verify) be a signature scheme which is existentially un- 
forgeable under chosen message attack which has a canonical strong WHPOK 
for the relation . Let Enc = {EG, E, D) be a CCA2 secure encryption 
scheme. 

In the following we let S denote the signer, V the verifier in the various 
protocols, and G the designated confirmer. We let {PKg, SKg) G SG(l^) 
denote the public verification key and the secret signing key of the signer and 
{PKc, SKc) G EG{1^) be the public encryption key and the private decryption 
key of the designated confirmer. 

The Designated Confirmer signature scheme: 

Key Generation Algorithms: (Gs,Gc) = {SG,EG). The key generation 
algorithm consists of the pair of key generation algorithm for the signature and 
encryption schemes in use. 

ConfirmedSign protocol: S computes an ordinary signature ct of m by 
computing a € SignsK^im). Then, the encrypted canonical witness hiding proof 
of knowledge for Rj; of section 3.2 is run between the signer S in the role of a 
prover and verifier V on common inputs m, PKg and PKc and auxiliary input 
a to S. 

The triple a' = (t, eo,ei) (defined during the protocol) is defined to be 
the designated confirmer signature of message m with respect to PKg. When 
the protocol is repeated k times, the designated confirmer signature of m is 

{(ti, CiQ, Cii) , X 1, * * * , k) . 

Signature Extraction: Extracting an ordinary signature a of message m 
such that 

Verify{PKs,m, a) = valid from a designated confirmer signature a' where 
{accept, a') G GonfirmedSigns,v{'m,PKs,PKc) is straightforward for G. G 
simply decrypts eo and ei to obtain sq and si. Knowing both sq and si implies 
extraction of the ordinary signature a using the knowledge extractor of the 
witness hiding proof of knowledge protocol for <t.® 

® At the moment we are assuming we are given such a WHPOK. We know that such 
WHPOK exist if one-way permutations exist. Later we will show efficient construc- 
tion of such protocols for a large family of signature schemes. 

® Note that the probability that upon decryption it is discovered that so,-5i were 
not properly encrypted is essentially the same as the soundness probability of the 
witness hiding protocol. In the full protocol with k repetitions where the designated 
confirmer signature is {ti,eiQ,ei^) for i = l,---,k, the probability that there exist 
a pair eig,ei^ which properly decrypts to a pair so and si from which a can be 
decrypted is negligibly close to 1. 
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Confirmation protocol: On common inputs m, an alleged designated con- 
firmer signature a' , and PKg, PK^, the following protocol is run between con- 
firmer C and verifier V. C has as an auxiliary input SK^. First, C extracts an 
ordinary signature of m, by ct = Extract{m, ct', PKg, PKc, SKc). If 
Verify{PKg,m,a) = invalid, then the confirmation protocol outputs invalid 
and stops. If Verify{PKg,m,u) = valid, then C (as prover) and V (as veri- 
fier) run the canonical strong WHPOK for Rs on common input {PKg,m) and 
auxiliary input cr to C. 

Disavowal protocol Disavowal(cy)- Given m and alleged DCS a' for 
which Verify{PKg,m, Extract{m, a, PKg, PKc, SKc)) = invalid the disavowal 
protocol is a zero-knowledge proof that 
Verify{PKg,m, Extract{m,a, PKg, PKc, SKc)) = invalid. 

The latter is obviously an NP statement. 

Theorem 7 The above system constitutes a secure Designated Confirmer Sig- 
nature scheme, given that Sign is existentially unforgeahle under chosen message 
attack and Enc is a CCA2 secure public key encryption scheme 

Proof. For brevity, let us include only a sketch of the proof. 

First, we need to show that any polynomial time adversary A, participating 
in ConfirmedSign(^S,A)} Ccmf(c,A) and Disavowal(^c,A) in the role of the verifier 
on polynomially many messages mi, . . . , of his choice, cannot successfully run 
ConfirmedSign(^A Y'^{m, PKg, PKc) or compute an ordinary signature a* such 
that Verify{PKg,m,a*) = valid for any message m of his choice (regardless 
whether m € {mi, • • • ,mk} or not). Suppose for contradiction that such an A 
does exist. Since ConfirmedSign(^A,v){'<~n, PKg, PKc) is a proof of knowledge, an 
adversary A that successfully run ConfirmedSign(A,v)(jn, PKg, PKc), can also 
extract an ordinary signature a' of m with high probability. This contradicts the 
assumption that ConfirmedSign(^s,A) and Confine, A) are strong witness hiding 
and thus do not reveal an ordinary signature for any message. 

Next, we need to show that such P cannot produce a pair (m, a) where 
C'on /((7 y) (m, cr, PKg, PKc) will be successful, namely for which 
Verify{PKg,m, Extract{m, a, PKg, PKc, SKc)) = valid, for a new m not pre- 
viously signed. Suppose for contradiction that such an A does exist. Then, a 
success of A would constitute a successful malleability attack on the encryption 
scheme Epk„ which is impossible as Epk„ was taken to be secure against CCA2. 

Finally, we need to show that any coalition of probabilistic polynomial time 
adversaries {Ai} with secret signing keys {SKi}, playing ConfirmedSign(s,Ai), 
Conf(c,Ai) and Disavowal^c.At) in the role of the verifier on polynomially many 
messages mi,...,mk of their choice, cannot successfully run Conf(Ai,v) on 
any pair {m,a) . Here again, since Conf(^Ai,v) is a POK, successfully running 
Ccmf(^Ai,v)i means that Ai can extract an ordinary signature of m with high 
probability which contradicts the fact that Conf and SignedConf are witness 
hiding. □ 
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4.1 On the Complexity of the Construction 

Unlike the efficient WHPOK ConfirmedSign and Conf, the Disavowal pro- 
tocol is a less efficient ZKPOK. We claim that due to the rare expected use 
of Disavowal it has very life effect on the overall efficiency of the scheme. See 
discussion in 1.1. 

One problematic point is that per our description the verifier must store the 
designated confirmer signature in its entirety, i.e (t, Cij,, CiJ, 1 < i < fc, in case 
it needs to be presented in a later time to the confirmer for confirmation. If 
the signer was honest, a can be extracted from any of the triples (t, eig,eij) 
and thus saving a single triplet would significantly reduce the storage needed. 
However, saving a single triplet does not suffice in case of a cheating signer as it 
may be triple which does not enable extraction and was not detected during the 
signing protocol with probability By choosing to store only a random subset 
of the triples (hoping you store at least one proper one), one may tradeoff the 
probability of being able to eventually extract and storage. 

5 Cramer-Shoup Based DCS 

In this section we show how to transform the Cramer-Shoup (CS) signature 
scheme [6] into a designated confirmer signature scheme. Since the CS signature 
scheme is existentially unforgeable under chosen message attack, using the con- 
struction in 4 we can transform it into a DCS scheme. In order to do that we 
describe a canonical WHPOK of a CS signature. 

5.1 The Cramer-Shoup Signature Scheme 

The Cramer-Shoup signature scheme [6] is an efficient signature scheme, which 
is existentially unforgeable under chosen message attack under the strong RSA 
assumption. 

Definition 8 The strong RSA assumption is the assumption that given a 
randomly chosen RSA modulus n and a random z G Z*, it is hard find r > 1 
and y € Zf, such that y^ = z. 

The Cramer-Shoup scheme: 

Key Generation: Two random /'-bit primes p and q are chosen, where 
p= 2p' + 1 and q = 2q' + 1, with both p' and q' prime. Let N = pq. Also chosen 
are h,x € QRn and a random (/ -|- 1)— bit prime e' . The private key is (p, q) and 
the public key is (iV, h, x, e') along with a collision resistance hash function H 
(e.g. SHA-1). 

Signature generation: To sign a message m, a random (/-I- 1) bit prime e yf 
e' is chosen and a random x' € QRn is chosen The equation = xh^^^ '>mod N 

A back of the envelope calculation shows that if one chooses at random I out of k 
pairs to store, the probability (after having passed the confirmation protocol) that 
the confirmer will not be able to extract the signature is ^ ' 




Transformation of Digital Signature Schemes 



93 



is solved for y and the equation {y'Y = x'h^^"^^mod N is solved for y' . The 
Cramer-Shoup signature is {e,y,y'). 

Signature verification: To verify a signature (e, y, y') on a message m, e 
is first checked to be an odd {I + l)-bit number different from e' . Second, x' = 
{y'Y N is computed. Third, it is checked that x = ^mod N. 

5.2 Canonical WHPOK of a CS Signature 

Proving knowledge of a CS signature of a message m amounts to proving knowl- 
edge of (e, y, y') such that 3e, x' satisfying the equations y® = xh^^^ ^ mod N 
and {y'Y = mod N. In order to prove knowledge of a CS signature we 

use a ZKPOK of the ith root as a tool. 

Protocol I: Zero-knowledge proof of knowledge of the ith root: 

On common input w,i,N such that w = s* mod N, and auxiliary secret 
input s to the prover. 

1. The prover picks r Gr computes u = r* mod N and sends v to the verifier. 

2. The verifier picks 6 {0, 1} and sends b to the prover. 

3. The prover sends t = rs^ mod N to the verifier. 

4. The verifier accepts iff f = vvY’ {mod N). (To achieve lower soundness prob- 
ability the protocol may be repeated.) 

Theorem 9 Protocol I is a perfect zero-knowledge proof of knowledge of s. 

Protocol II: Strong WHPOK of Cramer-Shoup signatures. On common 
input message m, a Cramer-Shoup public key {N, h, x, e') and an auxiliary secret 
input to the prover {e,y,y') (a Cramer-Shoup signature of m). 

1. The prover sends e,x' to the verifier where x' = {y'Y mod N. 

2. The prover proves in zero-knowledge (using Protocol I of 3.2) that he knows 
a y, such that y® = xh^^^ ^ mod N and that he knows a y', such that 

{y'Y = mod N. 



Theorem 10 Protocol II is a strong WHPOK of a Cramer-Shoup signatures 

Proof. It is easy to see that completeness holds - a prover that knows a CS 
signature of m can always convince a verifier. 

Since we are using the ZKPOK of a modular root, there exist a knowledge 
extractor for y (the eth root of xh^^^ ^) and y'(the e'th root of x' ft.^l’”)). These 
y and y', together with the e given in the first round are a CS signature of m, 
hence a witness-extractor exist. 

Soundness holds because a cheating prover, that does not know a CS signa- 
ture, cannot prove knowledge of either, the eth root of xh^^^ \ or the eTh root 
of Thus, the soundness is guaranteed by the soundness of the POK of 

the eth root. 
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The most important thing we need to prove in order to apply the general 
construction to the above protocol is that it is indeed strong witness hiding. 
It was already proved in [6] that seeing a Cramer-Shoup signature on polyno- 
mially many messages does not enable an adversary to sign any new message 
that has not been signed before, let alone seeing only a partial CS signature. 
It remains to show that executing the above protocol does not reveal the 
Cramer-Shoup signature of any of the messages on which it was run. Assume 
toward contradiction that there exist an adversary A that on a Cramer-Shoup 
public key (IV, h, x, e'), executes the above protocol in the role of a verifier with 
the signer in the role of a prover on polynomially many messages of the verifiers 
choice mi, . . . ,mt and finally outputs, with non-negligible probability, a pair 
(m, cr), where m G {mi, . . . ,mt} and u is a valid Cramer-Shoup signature of m. 
We show that such algorithm A can be used to construct the following forging 
algorithm B for the standard Cramer-Shoup signature scheme. B will utilize 
A’s algorithm for this purpose (i.e B will run A on different inputs and random 
tapes). 

The Forging Algorithm B: 

Algorithm B's input: A Cramer-Shoup public key (N, h, x, e') and access to 
A’s program. 

Algorithm i?’s output: A pair (m, a), where m is a message and a = (e, y, y') 
is a Cramer-Shoup signature of m. 

1. Query phase: Initially B interacts with A where B acts in the role of the 
prover and A the verifier in protocol II above, perfectly simulating A’s view 
of interacting with legitimate signer without ever querying the signer. On 
message mi of A’s choice, B proves to A that he knows a Cramer-Shoup 
signature of mi in the following way: 

a) B picks a random (I + l)-bit prime and x( QRn and sends (e^, x() 
to A. 

b) B proves to A in zero-knowledge that he knows yi, such that 

y1' = mod N and y(, such that (y(Y' = mod N. 

Naturally, B does not know such yi and y[. Nevertheless, B can perfectly 
simulate A’s view using the standard rewinding technique for proving 
zero-knowledge - taking advantage on the ability to rewind A upon a 
challenge that B was not prepared for^^ 

2. Output phase: If A outputs a valid Cramer-Shoup signature a for m G 
{mi, . . . mt} (or any m for that matter), then B outputs < m,a >. 

Clearly, B runs in expected polynomial time as so does A. B perfectly simu- 
lates A’s view as the x( and Cj are uniformly distributed (completely independent 
of the mi) and thus if A outputs a Cramer-Shoup signature with non-negligible 

The number of possible challenges in each round of the ZKPOK of the e'th root is 
2 and thus running the protocol simultaneously for y and y' brings the number of 
possible challenges to 4 and can be easily simulated. 
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probability, so does B, contradicting the fact that the Cramer-Shoup signature 
scheme is existentially unforgeable under the strong RSA assumption. 

□ 

We remark that one could simplify protocol II further and rather than run- 
ning step 2 as it is, allow the verifier to choose at random whether to engage 
in a WHPOK of y such that ^ mod N (step 2(a) in protocol II), 

or a WHPOK of y' , such that {y'Y = mod N (step 2(b) in protocol 

II) but not both. Since, knowing a legal Cramer-Shoup signature of m means 
knowing both y and y' , a cheating prover who cannot answer both challenges 
will be caught with probability 

Finally, protocol II did not have a canonical form. It can be easily turned 
canonical 3-round protocol (to be repeated in turn k times), included for 
completion. 

Canonical strong WHPOK of Cramer-Shoup signature m: On common 
input m, Cramer-Shoup public key (iV, h, x, e') and auxiliary secret input to 
prover {e,y,y'). 

1. prover calculates x' = {y'Y mod N, picks r,r' Gr Z*, computes 

V — mod N, v' = r'^ mod N and sends e,x',v,v' to the verifier. 

2. verifier picks 6, b' €r {0, 1} and them to the prover. 

3. prover sends t = ry^ mod N and t' = r'y'^ mod N to the verifier. 

4. verifier accepts iff = v{xh^^^ ^)*' {mod N) and P® = v' {x'h^^'^^Y {mod 
N). 

6 Goldwasser-Micali-Rivest Based DCS 

In this section we show how to transform the Goldwasser-Micali-Rivest (GMR) 
signature scheme into a designated confirmer signature scheme. Since the GMR 
signature scheme is existentially unforgeable under chosen message attack, using 
the construction in 4 we can transform it into a DCS scheme. In order to do that 
we describe a canonical strong WHPOK of a GMR signature. 



6.1 The GMR Signature Scheme 

The digital signature scheme of Golwasser Micali and Rivest [16] is existentially 
unforgeable under chosen message attack under the assumption that claw-free 
trapdoor permutation (pairs /o,/i for which it is hard to find x,y such that 
fo{x) = fi{y)) exist. In [16] it is shown that such family of trapdoor permutation 
exists if factoring is hard. 

Before we describe the scheme we recall the followings notation: 

Definition 11 Let a = aia2---crn where Gi G {0,1}. we denote by fa{x) = 
• • /<T„(a;) • • •)) and f~^{y) = f~^{f~^_A' ’ ’ ’ •)) 
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The GMR scheme is defined by the following three probabilistic algorithms: 

Key Generation: Choose two pairs of claw-free permutations, (/o,/i) from 
a common domain Df and {goj9i)j from a common domain Dg for which 
you know Uniformly choose X G Df. The public key is: 

{Df,X,foJi,go,gi) and the secret key is (/o"\ /i"\ 5(7^ 

Signing a message: We denote by H the history and we set Hi = <j). To 
sign the tth message nii, uniformly choose Ri G Dg. Set z\ = fn^n iX) 
and Z 2 = g^.{Ri). The signature is a{nii) = {z\,zl,Hi) and the history is 
updated, setting iJi+i = Hi o Ri. 

Verifying a signature (zi,Z2,H): Accept iff /ffofi(zi) = A for i? = gm{z 2 )- 



Theorem 12 ([16]) ; If claw-free permutations exist, the above scheme is ex- 
istentially unforgeahle under chosen message attack. 

6.2 Factoring Based GMR Scheme 

An implementation based on intractability assumption of factoring is suggested 
in [16]. Let N = pq he the product of two primes satisfying p = q = 3{mod 4) 
and p yf q{mod 8). /o = x"^ mod N and fi = 4x^ mod N are permutations over 
the set of quadratic residues mod N. 

Theorem 13 ([16]) Under the intractability assumption of factoring the 
{fo, fi)—pair are claw-free trapdoor permutations. 

It was noted by Goldreich [12] that the factoring based implementation of 
the GMR can be sped up. For the (/o,/i)— pair described above, a fast way of 
computing fa^{x), where |a| = k, is by computing 

^ ’ (RJv(2^4))ff“) 

Where i{a) denotes the integer encoding of a and Rn{2^,x) denotes the 2^th 
root of X modulo N . 



6.3 Canonical WHPOK of the Factoring Based GMR Signature 

Proving knowledge of a GMR signature amounts to proving knowledge of a 
triple {zi,Z 2 ,Hi) such that 3Ri, such that Z 2 = gf^{Ri) and Zi = f^^n-iX). 
The WHPOK of a GMR signature that we present^^ takes advantage on the 
special structure of the factoring based GMR scheme. Let fo{x) = mod Ni, 
fi{x) = 4a;^ mod Ni, go(x) = mod N 2 and gi{x) = 4x^ mod N 2 . Our 

In[16] a tree like structure is imposed on the Hi’s, but here, for simplicity, we discuss 
the simpler and less efficient version in which the Hi’s grows linearly in the number 
of signed messages. 
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protocol uses the fact that in the factoring based GMR scheme, proving 
knowledge of g^{Ri) and is done by proving knowledge of modular 

roots. Thus, we can use the ZKPOK of the tth root from 3.2 as a tool, toward 
a canonical WHPOK of a GMR signature of m. 

Protocol III: Strong WHPOK of a Factoring based GMR signature : 

On a common input m and public key (iVi, N 2 , X G and an auxiliary input 
to the prover a = {zi,Z 2 ,Hi) (a valid GMR-signature of m). 

1. The prover computes Ri = 5m (-^ 2 ) and sends Ri,Hi to the verifier. 

2. The prover proves in zero-knowledge that he knows (zi,Z 2 ) such that Z 2 = 

and zi = fn^R iX). Proving knowledge of amounts to 

proving knowledge of the root of Ri (mod N 2 ) and proving knowledge 

of the 2*(l"*lith root of 4 (mod iV 2 ). Namely, knowing how to calculate both 

the nominator and the denominator in g^{Ri) = 4 pi(m) ■ 

Similarly, proving knowledge of J^Xr (-^) amounts to proving knowledge of 
the 2l^*°^“lth root of X (mod A^i) and proving knowledge of the 
root of 4 (mod A^i) 



Theorem 14 Protocol III is a strong WHPOK of a GMR signature of m. 

Proof. The proof is essentially the same as 5.2. We include it for completion. It 
is easy to see that completeness holds - a prover that knows a GMR signature 
of m can always convince a verifier. 

Since we are using the ZKPOK of a modular root, there exist a knowledge 
extractor for the 2l"‘lth root of Ri (mod N 2 ) and the 2*^l’"IHh root of 4, hence 
there exist a knowledge extractor for Z 2 = gf^{Ri). Similarly there exist a knowl- 
edge extractor for = fn^oRii^X These Zi, Z 2 , together with the Hi given in 
the first round are a GMR signature of m, hence a witness-extractor exist. 

Soundness holds because a cheating prover, that does not know a GMR 
signature, cannot prove knowledge of at least one of the modular roots he is 
required to in step 2 of the protocol of 6.3. Thus, a cheating prover has a prob- 
ability at most I to fool the verifier. Repeating step 2 k times this probability 
is reduced to (|)*. 

We now show that the above protocol is strong witness hiding. It was al- 
ready proved in [16] that seeing GMR signatures for mi, . . . m* chosen adaptively 
by the adversary does not enable an adversary to produce a GMR signature for 
a new m ^ {mi, . . . mt), let alone seeing partial GMR signatures. But, suppose 
toward contradiction that there exists an adversary A, which after running the 
above protocol III on message mi,. . .mt adaptively chosen can produce a GMR 
signature {zi,Z 2 ,Hi) for an m £ {mi, . . .mt}. We show that the existence of 
such A implies that the original GMR scheme is not existentially unforgeable 
and thus contradicts the existence of claw-free trapdoor permutations assump- 
tion (e.g. factoring is hard). 
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Intuitively, since Ri and Hi are chosen at random, independently from 
the message m and the public key, they do not allow an adversary to sign a 
message. Formally, using A as an internal procedure whose inputs and random 
tape can be set, we describe an algorithm B that on a GMR public key forges 
GMR signatures. 

Algorithm R’s input: GMR public verifying key PK = (Ni,N 2 ,X G 
and A’s program. 

Algorithm B’s output: pair (to, ct) where ct is a valid GMR-signature of to 
with respect to PK. 

1. Initially, B runs algorithm A on input PK. For each chosen message m-i 
by A, B proves to A on common inputs {mi,PK) that he knows a GMR 
signature of to* (as in protocol III) as follows . 

a) B chooses Ri Gr Dg and Hi Gr Dg and gives Ri, Hi to A. 

b) B proves in zero- knowledge that he knows Z\,Z 2 such that Z 2 = 9^{Ri) 

and Z\ = Naturally, B does not know such Zi and Z 2 , never- 

theless, B can perfectly simulate A’s view using the standard rewinding 
technique for proving zero-knowledge - taking advantage on the ability 
to rewind A upon a challenge that B was not prepared for. 

2. If A outputs a valid GMR signature (zi,Z 2 ,H) for to G {TOi,...TOt}, then 
B outputs {m,{zi,Z 2 ,H)). 

Glearly, B runs in probabilistic polynomial time as does A. In step 1(c) B 
perfectly simulates A’s view and thus in step 2, the adversary A would output a 
GMR signature with the same probability as when running with the true signer. 

□ 

We remark that one could simplify the above protocol III further (as we did 
in the Gramer-Shoup case) so that the verifier chooses at random whether the 
prover will prove knowledge of zi s.t. zi = or knowledge of Z 2 s.t. 

Z 2 = g^{Ri), but not both. 

7 Gennaro-Halevi-Rabin Based DCS 

In this section we show how to transform the Gennaro-Halevi-Rabin digital sig- 
nature (denoted the GHR scheme) [15] into a designated confirmer signature 
scheme. The GHR-signature scheme is existentially unforgeable under chosen 
message attack, assuming the strong RSA assumption. 

The idea of GHR-signatures is as follows. Let the public key be a triple 
(n, h, x) where n is an RSA modulus, x Gr 2’* and h Gr H where H is family of 

hash functions which [15] is proved to exists under the strong RSA assumption. 

1 

On a message to, the signature is defined to be ct„(to) = mod n. 
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7.1 Transforming GHR Signatures into a DCS Scheme 

In order to turn the GHR signature scheme into a designated confirmer 
signature scheme using the type of ideas we have used in this paper, we need to 
give a canonical WHPOK of i? = {(m, cr„(m))} to be used as a confirmation 
protocol between signer and verifier. In fact, we do better than that and can 
give a 3-round zero-knowledge proof of knowledge of a signature. 

ZKPOK of a GHR signature of message m: On common input message 

m and public-key (n,h,x), and a prover’s auxiliary input a signature of m, 
1 

X '“("*) mod n: 



1. The prover picks a random r' € Z* and calculates r = mod n 

1 

(which makes r' = r {mod n)) and sends r to the verifier. 

2. The verifier picks b Gr {0, 1} and sends it to the signer. 

1 , 

3. The prover sends c = r'(x '*<"•) )° mod n to the verifier. 

4. The verifier accepts iff = rx^ {mod n). 

The above protocol is repeated k times and the verifier accepts iff he accepts 
in each of the iterations, dropping the error probability to It is easy to 
verify that the protocol is ZKPOK (with respect to sequential repetitions) with 
standard methods (similarly to the proof given in 3.2). Using the Goldreich- 
Kahan [13] methods it can be converted to constant rounds. 

7.2 Transforming the Deterministic RSA into a DGS Scheme 

Instead of using the GHR-signature scheme and the strong-RSA assumption, we 
could use an even simpler version of the above protocols to get a DGS scheme 
starting from the plain RSA scheme itself [20]. Let (n, e) be the RSA public key 
and d be the RSA secret exponent. A RSA signature of m is m'^ mod n. Thus, 
proving knowledge of RSA signature of m amounts to proving knowledge of the 
dth modular root of m. This can be done using the ZKPOK of the ith modular 
root that we already described in 3.2. 

We note that as RSA itself is existentially forgeable, so will be the DGS 
originating from it. Interestingly, however, whereas the plain RSA scheme is 
universally forgeable under chosen message attack, this is no longer true for the 
deterministic RSA based DGS. The reason is that the verifier can no longer 
request the signer for RSA signatures of messages of his choice, but only to 
execute ConfirmedSigri(^S,v) (where the signer proves knowledge of an ordinary 
RSA signature without revealing it). Thus, in a sense the DGS obtained by 
transforming the RSA signature scheme into a DGS scheme is more secure than 
the signature scheme one starts with. 
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Abstract. Dwork and Stockmeyer showed 2-round zero-knowledge 
proof systems secure against provers which are resource-bounded dur- 
ing the interaction [6]. The resources considered are running time and 
advice (the amount of precomputed information). We re-cast this con- 
struction in the language of list-decoding. This perspective leads to the 
following improvements: 

1. We give a new, simpler analysis of the protocol’s unconditional secu- 
rity in the advice-bounded case. Like the original, the new analysis 
is asymptotically tight. 

2. When the prover is bounded in both time and advice, we substan- 
tially improve the analysis of [6]: we prove security under a worst- 
case (instead of average-case) hardness assumption. Specifically, we 
assume that there exists g G DTIME{2‘^) such that g is hard in 
the worst case for MAM circuits of size 0(2®^5 +t')) fgj. gome 7 > 0. 
Here s is the input length and MAM corresponds the class of circuits 
which are verifiers in a 3-message interactive proof (with constant 
soundness error) in which the prover sends the first message. In con- 
trast, Dwork and Stockmeyer require a function that is average-case 
hard for “proof auditors,” a model of computation which generalizes 
randomized, non-deterministic circuits. 

3. Our analyses rely on new results on list-decodability of codes whose 
codewords are linear functions from {0, 1}^ to {0, 1}^. For (1), we 
show that the set of all linear transformations is a good list-decodable 
code. For (2), we give a new, non-deterministic list-decoding proce- 
dure which runs in time quasi-linear in £. 
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1 Introduction 



In this paper we consider 2-round (that is, two-message) zero-knowledge proof 
systems for NP. Recently, Dwork and Stockmeyer constructed 2-round, black- 
box, public-coin, zero-knowledge interactive arguments for all of NP, in a model 
in which the prover is resource-bounded [6]. 

Two kinds of bounds are considered: on the running time of the prover during 
the interaction, and on the prover’s advice, that is the number of bits of advice 
the prover may have access to during the interaction. 

In a little more detail, the prover is split into a preprocessing part and an in- 
teraction part. No resource-boundedness is assumed during preprocessing — only 
the resources used during the protocol are limited. In the advice-bounded case, 
only a bounded amount of information may be passed from the pre-processing 
part to the interaction part; in the time-bounded case, the running time of the 
interaction part is bounded. By “bounded”, we mean that the resource bounds 
are fixed polynomials in the security parameter. 

The Dwork-Stockmeyer (DS) protocol uses as a primitive a linear function / 
with a certain hardness property. The hardness of / is used to prove the sound- 
ness of the protocol against resource-bounded provers. (The specific hardness 
property varies according to which resources of the prover are bounded; very 
roughly, / must be hard to compute on random inputs by a circuit with the 
interacting prover’s resources, plus limited non-determinism.) For the case of 
advice-bounded provers, they show that for each £, if fi (/ restricted to {0, 1}^) 
is a random linear function from {0, 1}^ to {0, 1}^, then with high probability 
the chosen fi will yield a protocol with soundness error 2“^ , for any constant 

d > 1. For provers that are time-bounded (and restricted to polynomial advice, 
but with no specific polynomial bound on advice) they conjecture that a fixed, 
efficiently computable function / exists that satisfies the appropriate hardness 
property, but the conjecture is not shown to be implied by standard complexity 
or cryptographic assumptions, and no candidate for such an / is given. 

The goal of this work is a better understanding of the hardness assump- 
tions behind the protocol’s soundness. We show that the standard connection 
between list-decodable error-correcting codes and average-case hardness (see Re- 
lated Work) holds in this setting. The challenge in applying this connection 
is that the DS protocol requires linear functions — this limits both the kinds 
of codes one can use and the running time of the list-decoding algorithms. 
Nonetheless, the connection allows us to give a simpler proof that a random 
linear function has the required hardness. We also show that a strong, but plau- 
sible, complexity-theoretic assumption implies the existence of a fixed function 
/ satisfying the hardness condition needed to make the Dwork-Stockmeyer pro- 
tocol sound against simultaneously time- and advice-bounded provers. 

In the rest of this section, we discuss, informally, the Dwork-Stockmeyer 
protocol, the connection with coding theory, and our results. 
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The Dwork-Stockmeyer Protocol 

Here is an informal description of the interaction portion of the Dwork- 
Stockmeyer protocol. The protocol is based on the existence of a “hard” function 
/ (more on the complexity requirements on / later). Suppose the prover wants to 
prove that t G L, where L is an NP language. Then the verifier sends a random 
X, and the prover replies with a string jS and a witness-indistinguishable proof 
of (roughly) the statement “either t € L or (3 is a valid encryption of f{x).” 

Intuitively, the protocol is complete because the honest prover will just send a 
random [3 and will carry out the non-interactive proof using the witness for t G L; 
the protocol is simulatable because the simulator (that is not resource bounded) 
will give a (3 that is an encryption of /(x) and will use this as the witness for the 
zap. The main part of [6] involves an implementation that realizes this informal 
intuition. The main focus of this paper is the soundness proof for the protocol, 
and readers may skip the details of the protocol itself if they wish. 

Regarding soundness, if r ^ L, then a cheating prover must be able to com- 
pute an encryption of f(x) given a random x, but (still intuitively) this is difficult 
if / is computationally hard and the prover is resource-bounded. A number of 
technical issues arise in formalizing the intuition above; for example, it is not 
clear that if / is computationally hard, then producing an encryption of / is also 
computationally hard. Finally, it remains to find the right complexity measure 
for / which makes the analysis possible. 

To this end, Dwork and Stockmeyer introduce the notion of a proof auditor} 
A proof auditor is an abstract computational model that, roughly speaking, is a 
randomized and non-uniform version of NP fl coNP. The analysis in [6] shows 
that a prover that successfully cheats with probability y can be converted into a 
proof auditor of similar complexity (that is, advice size and running time) that 
computes / on roughly a y fraction of inputs. 

Hence, for the protocol to be sound, one must use functions / that are hard on 
average against proof auditors of bounded complexity. For completeness, there 
is another requirement: one should be able, in polynomial time, to compute an 
encryption of /(x) given an encryption of x. This is possible if / is a linear 
function over GF{2) and if the encryption scheme is XOR malleable. ^ The 
Goldwasser-Micali cryptosystem, based on the quadratic residuosity assumption, 
is XOR-malleable. 

In summary, the function / to be used in the Dwork-Stockmeyer protocol 
should be a linear function over GF{2) and should be hard on average against 
resource-bounded proof auditors. If we want the protocol to be sound against 
advice-bounded provers (with no running time restriction), then / has to be 
hard against advice-bounded proof auditors (with no running time restriction) . 
If we want the protocol to be sound only against time-bounded provers (with an 

^ The proof auditor is an imaginary device used in the analysis of the protocol, it is 
not part of the protocol. 

^ A 1-bit encryption scheme is XOR-malleable if one can create an encryption of a © fe 
from encryptions of a and b. The value of malleable encryption schemes was first 
noted by Rivest, Adleman and Dertouzos [19]. 
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Protocol SDS 

for language L, using function / : {0, 1}^ — >■ {0, 1}^ which is linear on GF(2), 
committing encryption scheme £ that is XOR-malleable, a probabilistic public-key 
cryptosystem generator Q, a zap (2-round witness-indistinguishable proof system) Z, 
and constants a, d, e; with inputs r and w. 



0. Before the protocol starts, P does the following precomputation: 

(i) Run G{k) to produce an encryption key E. Let s be the random string used 
to produce E. 

(ii) Let i = k'^ and x* Gn {0,1}^, choose a E{x*) and set j3 = 4>f{E,a). 
Here 4>f{E,a) is a uniformly distributed encryption of f{x*). The existence 
of a function (j)f (that takes an encryption key E and ciphertext a £ E{x) 
and produces ciphertext /3 € E{f{x))) follows from the linearity of / and 
malleability of £. 

(Note: the length of the precomputed information, E,s,a,l3, is 0{ik).) 

1. V — >■ P : V chooses x €r {0,1}^ and an additional string p of random bits that 

will used in zaps, and sends x and p to P. 

2. P — > R : 

(ii Send to V: t, E, a, and (3. 

(ii) For using the witness w proving that t £ L, send the second-round message 
of a zap that 



V {E£g{k) A a£E{x)). 

3. V accepts in: 

(i) P responds within time afc® (time-bounded case only), and 

(ii) P = 4>f{E,a) and 

(iii) the verifier for the zap in (1) accepts. 



( 1 ) 



Fig. 1. Protocol SDS (simplification of Dwork-Stockmeyer [6] protocol) . 



advice bound also implied by the time bound), then / has to be hard against 
time-bounded proof auditors. 

Dwork and Stockmeyer [6] give a complicated proof that a random linear 
function is hard against advice-bounded proof auditors. They conjecture that 
there are explicit functions that are hard against time-bounded proof auditors, 
but they give no such construction based on other complexity assumptions. 

Figure 1 gives a more precise description of the DS protocol. The version here 
is somewhat simplified from the original one, and allows us to assume that the 
proof auditor coming from the reduction is “single-valued” (see Theorem 2.1). 
Because the focus of this paper is on the assumptions behind the protocol’s 
soundness, we refer the reader to [6] or to the full version of this paper for more 
details on the protocol itself. 



Our Results 

Advice-hounded Proof Auditors. Our first result is a connection between list- 
decodable codes and hardness against advice-bounded proof auditors (of arbi- 
trary running time) . We show that if we fix any error-correcting code with good 
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combinatorial list-decoding properties^, and we pick a random codeword c from 
the code and let / be the function whose truth-table is c, then with high proba- 
bility, / is very hard on average against proof auditors of bounded advice. (This 
is very similar to Trevisan’s proof [24] that a random member of a list-decodable 
code is average-case hard for small circuits with high probability.) 

We also show that the set of all linear functions has reasonably good 
list-decoding properties, even up to twice the minimum distance of the code. 
It follows that a random linear function is hard on average against advice- 
bounded proof auditors, and there exist linear functions / for which the Dwork- 
Stockmeyer protocol is unconditionally sound. ^ Dwork and Stockmeyer had al- 
ready proved that random linear functions are hard for advice-bounded proof 
auditors, but our proof is simpler, and it seems to get to the heart of what makes 
their protocol sound. 

Adding Time-Boundedness. Next, we turn to proof auditors that are simulta- 
neously time- and advice-bounded. We show how to construct an explicit hard 
function starting from more standard complexity-theoretic assumptions. 

Roughly speaking, we start from a function g that is hard in the worst case 
against a certain type of sub-exponential non-deterministic circuit. We view the 
truth-table of g as a matrix A, and we define / to be the linear mapping x i— Ax. 
We then show that if there is a proof auditor that can compute / well on average, 
then there is a non-deterministic circuit that can reconstruct A, and therefore g, 
violating g’s hardness assumption. This analysis can be seen as an algorithmic 
version of our results that linear functions have good combinatorial list-decoding 
properties: here we do the list-decoding explicitly, using non-uniformity to choose 
from the list, and using non-determinism to help with the decoding. 

Specifically, we prove security under the assumption that there exists g € 
DTIME{2^) such that g is hard in the worst case for MAM circuits of size 
for some 7 > 0. Here s is the input length and MAM corresponds 
the class of circuits which are verifiers in a 3-message IP (with constant soundness 
error) in which the prover sends the first message. 

Challenges of List-Decoding Linear Functions. The use of list-decoding to con- 
struct hard-on-average functions is not new (see Related Work). However, the 
fact that we need hard linear functions adds challenges which are the focus of 
the results described above. First of all, the code itself must be a sub-code of the 
set of all linear functions. More importantly, there is very little room for play 
in the hardness assumptions. Any linear function can be computed exactly by a 
circuit of size and time on inputs of length £. This means there is at most a 
quadratic gap between the resources required to remember a single pair x, f{x) 
and the resources required to cheat in the [ 6 ] protocol. This, in turn, means 
that the reductions we give (i.e. the list-decoding algorithms) must take much 

® That is, a code such that every sphere of bounded radius contains few codewords. 

^ Alternatively, this non-explicit construction can be replaced by a preprocessing phase 
in which V (or a trusted party) randomly chooses such a function and announces it. 
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less than quadratic time. For this reason we cannot use standard list-decoding 
techniques and complexity reductions, since those typically involve polynomial 
blow-ups. 

Non-linear Functions. It is an open question whether completely malleable en- 
cryption systems exist. By a completely malleable encryption system we mean 
that given the encryption of x and a circuit C, one can compute an encryp- 
tion of C{x) (malleable shemes were originally called privacy homomorphisms 
by Rivest, Adleman and Dertouzos [19]). 

If semantically secure, completely malleable encryption is possible, then one 
does not need / to be linear in the Dwork-Stockmeyer protocol. This avoids 
the difficulties described above. In particular, one can use Reed-Solomon codes 
instead of linear functions in the case of advice-bounded proof auditors, and a 
different (more standard) transformation of a worst-case hard function g into an 
average case hard function / in the time-bounded case. This leads to a larger 
(arbitrary polynomial) gap between the resources of an honest prover and those 
required to cheat. However, the assumption of a completely malleable cryptosys- 
tem seems very strong; no candidate is known. 

Related Work. The work of Dwork and Stockmeyer followed a long line of 
work on protocols whose participants have bounded computational power and/or 
bounded communication; we refer the reader to [6] for a discussion. We focus here 
on the origins of the techniques we use and on previous uses of derandomization 
in cryptography. 

Derandomization Tools in Cryptography. The mathematical tools used in de- 
randomization, such as error-correcting codes, limited independence, expander 
graphs, and list-decoding, have been used in cryptography for a long time, a 
prime example being Goldreich-Levin hard bits [7]. There has been a recent 
explosion of work in cryptography using these tools more explicitly — see, for 
example, the work of Lu [14] and later Vadhan [26] improving encryption proto- 
cols for Maurer’s bounded storage model [16,1] (the work of Lu partly inspired 
this work). The most closely related work to ours is that of Barak, Ong and 
Vadhan [2]. By de-randomizing the 2-round zap construction in [5], Barak et 
al. obtained uniform non-interactive witness-indistinguishable proofs and argu- 
ments ([5] shows the existence of a non-uniform non-interactive protocol). As in 
our work on the simultaneously advice- and time-bounded case, [2] base security 
of a cryptographic protocol on an assumed worst-case circuit lower bound. 

List-Decoding and Average-Case Hardness. The main technique which we 
take from the derandomization literature is the connection between list-decoding 
and average-case hardness. The connection had been part of the oral tradition 
of the community since the early 1990s, due to the independent observation 
by Impagliazzo and Sudan that the result of [7] could be interpreted as a list- 
decoding algorithm for the Hadamard code and that other list-decodable codes 
could be used to prove similar results. 

More specifically, our proof that linear functions form a combinatorially good 
list-decodable code relies on a lemma of Chor and Goldreich [4] on list-decoding 
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punctured Hadamard codes. In the reduction of Section 4, we need to show 
that the problem of list-decoding a certain code with certain parameters can be 
solved in quasi-linear “MAM-time.” This result is inspired by a reduction in [25], 
that also involves very efficient list-decoding algorithms that are sped-up using 
non-determinitism (actually, in [25], list-decoding is performed by circuits with 
Si gates, for various i). 

Finally, the results on non-linear functions rely on the techniques of Trevisan 
and Vadhan [25] just mentioned, and also on the techniques of [13,18,20] which 
gave hardness results for non-deterministic circuits. 



2 Resource-Bounded Provers and Proof Auditors 



As discussed above, Dwork and Stockmeyer reduced the soundness of their pro- 
tocol to the existence of linear functions which are hard for i.o. proof auditors 
with bounded resources (recall that completeness and zero-knowledge follow from 
more standard assumptions). In this section we collect the results we will need 
from [6]. First, we give a precise definition of proof auditors and state the reduc- 
tion from [6]; we conclude with the statement of their result on the hardness of 
linear functions for advice-bounded auditors. 

In our discussion, we emphasize that the proof auditors coming from the 
reduction can be made single-valued, a property which we will use in the sequel. 

Definition 2.1 (i.o. proof auditors). An i.o. proof auditor for function / is 
a randomized non-deterministic device. In order to hound the non-uniformity 
involved, we fix a universal Turing machine UTM which takes an advice string 
p G {0, 1}“. Let A denote the circuit corresponding to the behaviour of the uni- 
versal machine on advice string p. That is, for any input oj G {0,1}*, we say 
A{oj) = UTM{p,uj). 

The circuit A takes an input x G (0, 1}^, as well as a random input r G 
{0,1}^ and a non-deterministic input z, and outputs a pair (b,v) G {0,1} x 
{0, 1}^. We say that an i.o. proof auditor has agreement e with a function f if 
for infinitely many values i G N.- 



Pr 

xG{0,l}'^,re{0,l}« 



Vy {3z G {0,1}^ {A{x,r,z) 



(l,y)) 



y = fix)) 



><e) 



The important parameters of an auditor are its advice hound a, its random- 
ness bound R, its non- determinism bound N, its success probability e, and its 
running time T. Here “i.o.” stands for infinitely often (over i €~N). 

An i.o. proof auditor A is said to he single- valued everywhere if for any fixed 
input X and sequence of coin tosses r, there is at most one value y = fA{x,r) 
for which there exists a string z such that A{x,r,z) = (l,y). 

In other words, an single-valued i.o. proof auditor e-approximates / if there 
is an e fraction of the (input,coins) pairs (x, r) on which the auditor outputs a 
unique y = f{x). A given circuit A can e-approximate several different functions. 
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Theorem 2.1 (Dwork, Stockmeyer [6]). Let P* be a cheating proven which 
is limited, during the protocol, to advice hound A*{k), time bound T*{k), and 
randomness R*{k). Let e*{k) denote P* ’s probability of cheating successfully. 
There exist constants ci,C 2 ,C 3 ,e such that there is a single valued i.o. proof 
auditor for f having the following bounds, where k = for a constant d 

appearing in the description of the protocol: 

advice a{k) < A*{k) 

running time T{k) < T*{k) + 0{k‘^ + ik^^ + 
non- determinism N{k) < 0{k'^^) 
randomness R{k) < R* {k) 
agreement probability e{k) < e*{k) — 2 ■ 

Thus, the DS protocol for / is sound against a certain class of cheating provers 
if / has no proof auditors from (roughly) the same class with non-negligible 
agreement . 

One of the main results of [6] shows that appropriately “hard” linear functions 
/ exist for the advice bounded case — hence, no special assumptions are neces- 
sary beyond the XOR malleable cryptosystem (which can be based on standard 
number theoretic assumptions), and the existence of trapdoor permutations. ® 

Theorem 2.2 (Random linear functions, [6]). With probability I — S, a 
random linear function f : {0, 1}^ — >■ {0, 1}^ has no proof auditor with success 
rate e and advice bound a = — Slog ^ -I- log 6. 

3 Advice-Bounded Proof Auditors 

In this section we show that a random codeword from a list-decodable code 
defines a hard function for advice-bounded proof auditors, and we show that 
linear functions have good list-decodability properties. These two results imply 
that random linear functions are hard for advice-bounded proof auditors. 

Definition 3.1 (List-decodable code.). Let S he a finite alphabet. An injec- 
tive mapping C : {0, 1}” — >■ is an (e,t(e)) list-decodable code if for all e > 0 

and all u € (u need not he in the image of C), there are fewer than t{e) 
codewords (i.e., elements of the image) at Hamming distance L{1 — e) or less 
from u. 

We are interested in codes which support list-decoding when almost all of the 
positions in a codeword have been corrupted. We think of elements in as 
functions mapping {0, 1, . . . , L — 1} to elements of S in the following natural 
way: for Q < i < L, i \s mapped to the tth element in the L-tuple. Let u be a 

® Although the security of the Goldwasser-Micali cryptosystem implies the existence 
of trapdoor permutations based on factoring, we have no reason to assume that this 
will be true of all XOR-malleable systems. 
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codeword. For all functions g : {0, 1, . . . , L — 1} — >■ 17, ^ has agreement e with v 
if and only if g is within distance {1 — e)L oi v. 

We begin with some intuition. 

Suppose that an auditor is a deterministic machine restricted to a bits of 
advice (think of the advice as a description of the auditor, to be fed to a universal 
Turing machine). Suppose we also have a code such that in any ball of relative 
radius 1 — e there are at most t = t(e) codewords. The number of codewords 
that have agreement e with some auditor is then at most t2“. If we have 2” 
codewords and we pick one of them at random, then the probability that we 
pick a codeword having agreement e with some auditor is at most t2“/2". This 
intuition does not quite suffice, since we are actually using two different notions 
of agreement: agreement of a function (g) with a function (defined by a codeword 
v), and agreement of a proof auditor with a function. In the first case, the notion 
of agreement is over choices of inputs to the function: two functions /, g have 
agreement e if the probability over inputs x that f{x) = g{x) is e. In the second 
case, the probability is also over random coin tosses made by the auditor (see 
Definition 2.1). 

In the proof of the theorem below, we use the list-decoding property, which 
talks about agreement of the first kind, to bound the number of codewords with 
which an auditor can have agreement of the second kind. 

Theorem 3.1. Let C : {0,1}" — >■ he a list-decodable error-correcting code, 

with L = 2‘^, E = (0, 1}™, and list size t{e). Let c C, and let f : (0, l}'^ — >■ 
(0, 1}™ be given by f{i) = Ci. With probability 1 — d, there is no single-valued i.o. 
proof auditor for f with advice bound a = n — logt(e^/4) — log(2/e) — log(l/i5) 
and which has agreement e or more with f. ® 

Proof. Recall that we describe an auditor as an input to a universal Turing 
machine. Consider a particular auditor A = UTM{p, •), where \p\ = a. We may 
define a second auditor. A' , that has no non-deterministic inputs, as follows. On 
input (x,r). A' tries all possible values for z to see if there is a unique y such 
that A{x,r,z) = (l,y) as z varies. If no such y exists, then .4'(a;,r) outputs 
(0, T). If such a y exists, then A'{x, r) outputs (1, y). Note that, by construction 
of^'.V/ 

Pr [.4'(a:, r) = (1, f{x))] = Pr [3z(.4(a;, r, z) = (1, y)) y = f{x)]. (2) 

{x,r) (^>'^) 

Thus, for all e and all functions f, A is a single valued e-auditor for / if and 
only if A! is an e-auditor for /. 

At this point, it may be that for any given x, there may exist many r' ,y' 
such that A'{x,r') = {l,y')- We wish to restrict our attention to those values 
y' that occur with sufficient support among the choices for r. To this end, we 
define a third auditor. A": On input (x,r), A" runs A'{x,r) to obtain (b,y). If 

® The parameter m does not appear explicitly in the proof of Theorem 3.1. In fact, m 
affects the function t{e) in the definition of a list-decodable code. The proof never 
needs specific values for this function. 
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6 = 0, then A"{x,r) outputs (0, _L). If 6 = 1, then A"{x,r) tries enough of the 
possible choices for r necessary to see if, for at least an e/2 fraction of the r’s, 
A'{x,r) = {l,y). If so, A''{x,r) outputs otherwise it outputs (0,_L). A" 

has the property that, on any particular x, different values of r can give rise to 
at most 2/e different values of A''{x,r). 

Lemma 3.2 If A' is an e- auditor for f, then A" is an e /2-auditor for f. 

Proof. For a particular function /, let Wf{x) denote the fraction of random 
inputs r such that A'{x,r) = (l,/(x)). We know that the expected value (over 
choice of x) of IF/ (x) is the probability (over x and r) with which A' agrees with 
/. If E denotes expected value, we have: 

E^[Wf{x)] = Pr[A'{x,r) = {l,f{x))] > e. (3) 

x,r 

By construction, .4"(a;,r) = (l,/(a;)) precisely when both .4'(a;,r) = (l,/(x)) 
and Wf{x) > e/2, so that 

Vr[A!'{x,r) = (l,/(a;))] =Ea:[Wf{x)\Wf{x) > e/2] • Pr[IF/(x) > e/2], 

x,r X 

Hence we can write: 
e < E^[Wf{x)] 

= Pr^[A"{x,r) = {l,f{x))] -PE^[Wf{x)\Wf{x) < e/2] •Pr[IF/(a:) < e/2] 

< Pv[A!\x,r) = {lJ{x))]+E^[Wf{x)\Wf{x) < e/2] 

x,r 

The second term in the last sum can be at most e/2, since we condition on the 
fact that Wf{x) < e/2. Thus, the probability (over x and r) with which A” 
agrees with / must be at least e/2. □ 

To conclude the proof of Theorem 3.1, we let J = \2./e\, and, 

for each x, choose values g\{x), ...,gj{x) so that {gi(a;), ...,gj(a;)} = 

{y : 3r .4"(a;,r) = (l,y)}. The probability (over x and r) with which A agrees 
with / is at most the sum of the agreements of / with the functions gi{-), g.j{’)- 

Assuming A" is an e/2 auditor for /, there must be some i G [J] such that / 
has agreement = e^/4 with gi. Thus, the total number of functions / for 
which the original A is an e auditor is at most J • t(e^/4) = |t(e^/4). If describ- 
ing the auditor requires only a bits of advice, we can describe all the functions 
which have e-auditors with advice bound a using a logt(e^/4) -|- log J bits. 
Since there are 2” codewords, choosing one at random will yield a function 
with an e-auditor with probability at most = J (when 

a = n — logt(e^/4) — log(2/e) — log(l/<5), as in the theorem). Thus, choosing a 
codeword at random yields a function not having an e-auditor with advice bound 
a with probability at least 1 — 6. □ 
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Now let C be the set of all linear functions mapping £ bits to £ bits. Each 
element of C can be described by £'^ bits (as a matrix). Letting S = {0, 1}^ and 
L = 2 ^, we can also think of each linear function as a vector in by listing 
its evaluation on all possible inputs. In that view, C is an error-correcting code 
with dimension and minimum distance L /2 

Proposition 3.3 The code C has list-size t{e) = e + a) = (i)0(^)^ 

Note that the proposition does not follow from the Johnson bound [11,10], 
which is the usual tool for proving list-decodability of a code. That bound applies 
when the radius of interest is less than the minimum distance of the code. In our 
case, the minimum distance is L/ 2 , but we’re interested in bounding the number 
of words within distance L{1 — e). 

Proof. (Sketch.) For any v G and any x G {0, 1}^, we write v{x) to denote 
the value of v applied to x (recall, words in are functions). To prove the 
Proposition, it suffices to demonstrate how to describe any £x£ matrix A having 
agreement e with v using only 2.7f(log ^-1-4/3) bits. Let oi, ..., ai G {0, 1}^ denote 
the rows of A, and Vi(x) denote the bit of v(x). 

Fact 3.4 (Chor, Goldreich [4]) If S C {0,1}^ has at least e ■ 2^ elements, 
and g : S' — >■ {0, 1} is an arbitrary function, then there are at most 9/e vectors 
a G {0, 1}^ such that Pr^^sidix) = a ■ x] > 2/3, where a ■ x denotes the inner 
product of a and x . 

Let Ei denote the event that Ax and v{x) agree in the tth bit, for x G {0, 1}^ 
(that is, Oi ■ X = Vi(x), where Oi is the zth row of A). We have 



e < Pr[Ei ■■ ■ E(\= Pr[Ei] • Pv[E 2 \Ei] ■ ■ ■Pr[Ei\Ei ■ ■ ■ 

X XX X 

We first note that at most log 3 / 2 (l/e) < l-71og(l/e) terms in this product 
can be smaller than 2/3. To describe the corresponding “bad” rows of A, we 
specify Oj explicitly, using a total of at most 1.7£log ^ bits. 

Now for each of the remaining “good” rows, we have Pr[oi • x = 
Vi{x)\Ei ■ ■ ■ Ei_i] > 2/3. Letting Sj = {x G {0, l}^|Ei A • • • A Ei_i), we can ap- 
ply Fact 3.4 to see that each such “good” Oi requires only log(9/e) < log(l/e)-|-4 
bits to specify (given the description of the previous ones). Hence, the total num- 
ber of bits required to describe A is 1.7£log ^ -I- £(log 7 + 4). 

□ 

The result of [ 6 ] on advice bounded provers is now a corollary to Proposi- 
tion 3.3 and Theorem 3.1^. In the next section, we address the non-constructive 
nature of these results. 

^ The bound in [6] is slightly stronger: the 6 is replaced by 3. Another proof can 
be obtained using a constructions of sets of 2^ -2^ios j linear functions which have 
pairwise relative distance 1 — <5^/4 (Meshulam, Sphilka [17,21]). Yet another possible 
approach comes from the results of Mansour et al. [15] on universal hash families. 
Unfortunately, they are too general to yield tight bounds for binary linear maps. 
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Corollary 3.5 ([6], Theorem 7.8 on advice-bounded provers) There ex- 
ists a family of linear functions such that the Dwork- Stockmeyer proof 

system has soundness error at most e -I- 2 • 4“^ against provers who are limited 
to — 6^1og i hits of advice (for all e < 1/32J. 



4 Simultaneously Time- and Advice-Bounded Provers 

We now turn our attention to the case of provers that are simultaneously time- 
and advice-bounded during the execution of the protocol. We show how to con- 
struct efficiently decodable linear functions / that have no simultaneously time- 
and advice- bounded auditors, based on the rather natural assumption that there 
exist functions g : {0, 1}^ — >■ {0, 1} computable in time with no MAM cir- 
cuits (defined below) of size 0(2^(2+^^), for some 7 > 0. We create a matrix 
for the linear function by setting its entries to be the truth table of a suitably 
hard function, call it g. This hard function may have a very short description. 
The role of the advice bound is again to prevent a cheating prover from bringing 
the entire matrix of the linear function into the interaction; however, now the 
prover may be able to bring in the short description of the hard function g, from 
which the linear function is constructed. It is the time bound, together with 
the assumed hardness of g, that prevents a cheating prover from computing the 
entries in the matrix during the course of the execution of the protocol. 

One can view the results of this section as an algorithmic version of the results 
of the previous section: not only are there few linear functions in any given ball 
of bounded radius, but given the ball, some extra advice, and non-determinism, 
each of these linear functions is easy to compute. 

The basic schema for our proof comes from the literature on derandomization 
and hardness amplification. 

Let A be an £ X £ matrix for a linear function mapping {0, 1}^ to {0, 1}^. Let 
/ : {0, 1}^ — >■ {0, 1}^ be any (not necessarily linear) function having agreement 
e with A. Then, given a description of /, we can describe A using only logt(e) 
additional bits. This is because, by Proposition 3.3, the linear functions form a 
list-decodable code with codewords in ({0, 1}^)^ , and / can be represented as a 
string in ({0, l}^)^^ 

This means that, given a circuit C for /, we can describe A using at most 
\C\ -\- logt(e) bits, where \C\ denotes the size of C. We now wish to consider 
situations in which this short description of A is in fact a circuit for computing 
the bits of A. 

Suppose that we have an extremely efficient decoding procedure. That is, 
suppose that given 

(a) a circuit C that has agreement e with a codeword given by a matrix A, and 

(b) additional bits of advice (say, to specify A completely), 

we can construct a circuit C which, on inputs i,j, outputs A^ j in time and 

using 0(1) calls to C. Then the existence of a “small” circuit C which correctly 
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computes the linear map x i— >■ Ax with probability e implies the existence of a 
“small” circuit C which, on inputs i,j, computes A^ j, where “small” means size 
Q(£(H-7)) for some constant 7 > 0. Thus, if we use the truth table of a hard 
function g — one which can’t be computed using “small” circuits — to provide 
the bits of the matrix A, then we know that no small circuit can have agreement 
e with the linear map x 1— Ax. 

Theorem 4.1. Suppose there exists a function g : {0,1}^ — >■ {0,1} that is in 
E = but which has no MAM verifier circuits of size 

for some constant 7 > 0. Then, if XOR-malleable cryptosystems exist, for any 
constant 7' such that 0 < 7' < 27, there is a uniformly constructible Dwork- 
Stockmeyer proof system with negligible soundness error against provers with 
advice and computation time bounded by ), where t is the input/output 

length of the public function f , and k = £^A) jg ihg security parameter for the 
encryptions and zaps. 

In order to prove Theorem 4.1, we first give our result on list-decoding of 
linear functions, where the list-decoding circuits we construct are in fact verifiers 
for an MAM proof system. We defer the proof of Theorem 4. 1 to the end of this 
section. 

Theorem 4.2. Let F be a field of size q = 1 . Let A be a single-valued 

i.o. proof auditor with non-uniformity bound a, randomness bound R, time bound 
T, and non- determinism bound N (see Definition 2.1). Let f^'F^ x (0, 1}'^ — >■ 
F be the function computed by A, that is fA(x, r) is the single value that A may 
output on inputs x,r. Suppose that f^ agrees with a linear function given by 
vector v G F^ with probability at least e, in the following sense: 

Pr[fA{x,r) = vx]>e. 

x,r 

Then we can construct a verifier circuit Arthur for an MAM protocol which 
computes the row vector v G F^ with probability at least 2/3. The circuit uses 
0(a-|-log^' log(l/e)) bits of non-uniform advice (some of these are necessary just 
to have v well- specified) , and communication 0{£' log --|-i?-|-iV) (this corresponds 
to non- deterministic advice from Merlin). The running time of the circuit for 
Arthur is 0{T -\- T log } -I- i? -I- iV) . 

Proof (of Theorem j.2). There are three phases to the reduction. First, use non- 
determinism (i.e., the first message from the prover Merlin to verifier Arthur) to 
guess a candidate vector v' . Next, we use a non-deterministic counting technique, 
due to Stockmeyer [22], to verify that the candidate v' has agreement close to e 
(specifically, e/2) with /. By Lemma 4.3, there are at most 0(l/e) such vectors. 
Finally, we provide the verifier a few bits of advice, enabling it to perform a 
test which, among those close vectors, is passed only by v. The remainder of the 
advice bits are used as advice in the calls to A. We now describe the details of 
the agreement test and the selection of v using short advice. 
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Agreement Test. Let S C x {0,1}^ be the set of pairs (x,r) such that 
= v' ■ X. We wish to verify that [S'! > eq^ 2^. In fact, we only test that 
1^1 > (e/2)/2«. 

To do this, the verifier chooses a pairwise-independent random sample U 
of size M/e from the set V = x {0, 1}^, where M is some large constant. 
Consider the set U (1 S. One can choose M appropriately so that when [S'! < 
eq^ /2, the probability of there being more than 3M/4 points is at most 1/3. 
Conversely, when [S'! > eq^ that same probability is at least 2/3. Thus, to allow 
Arthur to check that each of the points is also in S, the prover need only send 
the verifier SM/A points (x,r) in U, together with the non-deterministic inputs 
z used by A to produce an output on the input pairs (x, r) (a different z for each 
pair) . 

For representing the sample U and verifying membership efficiently, view T> 
as the field GF{2^ i°gq+Ry choose U, the verifier need only choose 2 

elements a, (3 € T> at random. To specify an element of U, a string of log ^ -I- 
0(1) bits suffices, and it only takes time 0(f log q + R) to reconstruct the full 
representation (this is the time needed for multiplication in T>). 

Using Short Advice to Select v. It remains to give a short test to determine 
whether a given v', having agreement at least e/2, is the correct v' . Let e = 
log(10/e^). We view v' as a string of U log 10/e^ = Ue bits, and apply a standard 
polynomial fingerprinting scheme. 

Namely, choose p = 0(£'log(l/e) • ^), such that p is a power of 2, and work 
in GF{p). For any string a € {0, 1}^ ®, write a as a sequence of elements in 
GF{p), and let a(-) : GF{p) — >• GF{p) denote the polynomial corresponding to 
those coefficients. The degree of a(-) is at most D = Choosing x G GF{p) 
at random means that any two distinct strings a, a' will satsify a{x) = a'(x) with 
probability at most D/p < I'e/p. Now there are 0(1 /e) strings which we want 
to distinguish (Lemma 4.3), and hence O(^) pairs. Thus, by the union bound 
the probability that a random point x fails to distinguish some pair is at most 
0{Ue/{pe^)). To ensure that there is an x distinguishing all pairs, we choose p 
so as to make this expression less than one. Thus, by appropriately choosing 
p, we get that there exists some value x such that all the possible strings v' 
have different values of v'(x). The needed advice is only x,v(x), which requires 
2 logp = 0(log f + e) bits. The running time of this procedure is roughly D field 
operations in GF(p), which takes no more than i^^O(logp) = 0(fe) steps. 
(This is less than the computation time necessary in previous phases.) □ 

The proof above uses the following technical lemma: 

Lemma 4.3 When q > 10/e^, there are at most 0(l/e) candidate vectors v' G 
F^ which have agreement e/2 with any fixed function f : F^ x {0, 1}'^ — >■ F. 

Proof. Any two distinct linear functions over F agree on at most a 1/q = e^/10 
fraction of the points in the set F^ x {0,1}'^. By the Johnson bound [11,10], 
any code with minimum relative distance 1 — e^/10 has list size t{e) < 3/e. □ 
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Finally, we can prove Theorem 4.1: 

Proof (Proof of Theorem 4-1). Fix some soundness target e, and choose q to 
be the smallest power of two greater than 10/e^. Let log(l/e) = , so that 

£log \ ) and e is negligible in 

Let I' = tjlogq. We will use a truth table for g to specify the bits of the 
matrix A £ GF{qY describing the (linear) function / to be used for the 
proof system. We obtain the truth table by listing the value of g on all strings 
of length log(^^). Since g £ E, we can compute the truth table in time poly{£). 
Moreover, since / is also linear of GF{2), the protocol will be complete (based 
on the existence of XOR-malleable cryptosystems) . 

By choosing a sufficiently small constant a such that fc = £“, we can ensure 
that the reduction from prover to proof auditor loses no more than £ ■ 

(additively) in both running time and required advice (see Theorem 2.1). Thus a 
cheating prover which uses time and advice 0(£}^^ ), no non-determinism, and 
success probability e-|-2-4“^, can be converted to a single-valued i.o. proof auditor 
which has time and advice bounds and success rate e (the single-valued 

property comes from the specifics of the Dwork-Stockmeyer reduction). 

Now a proof auditor for a linear map x i— Ax is, in particular, a proof auditor 
(with at least the same success rate) for the linear function given by any row v of 
A. By Theorem 4.2, we can construct a verifier for an MAM proof system which 
computes the row vector v, and whose circuit size is 0(T-|-a-|-^log ^) = 0(£^+^''"). 
We can modify this circuit to take an additional input i £ which 

tells it which row of A it should be computing, so that essentially the same 
reduction produces a verifier circuit of size which can be used verify 

the correctness of any bit of the matrix Af This contradicts the (worst-case) 
hardness assumption for g, and hence we get that the protocol is secure against 
provers of time and advice bound . □ 



5 Assuming Complete Malleability 

If we are willing to assume the existence of a completely malleable cryptosystem 
we are no longer forced to work with functions / which are linear. To guarantee 
the security of the protocol in this setup we only require that / does not have 
a proof auditor which is simultaneously time bounded and advice bounded. We 
have no candidate for arbitrarily malleable cryptosystem. Nonetheless, in this 
section we give two additional illustrations of the power of such a (hypothetical) 
cryptosystem. 



® The only difficulty here is that there were log £' log | bits of advice which were 
specific to V and hence to the index i. However, including all £' possible advice 
strings that Arthur might use increases the circuit size by at most 0{£' log£' log 4). 
This is dominated by other terms in the circuit size. 
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5.1 Advice-Bounded Provers and Reed-Solomon Codes 

Theorem 3.1 allows us to use almost any good list-decodab le code, regardless 
of linearity. (Polynomial-time computability of any particular component of a 
codeword is still necessary for completeness.) A natural candidate is the Reed- 
Solomon code. Suppose that we want a power p gap between the advice needed 
by the honest prover during the proving time and the advice necessary in order to 
cheat with probabilitty (roughly) e. If we consider polynomials of degree d = 
over the field F = GF{2^), then we get a class of functions such that (a) any 
function is describable by (F bits, and (b) any two distinct functions from the 
class agree on at most a fraction d/2^ of the input values in F. By the Johnson 
bound [11,10], the corresponding Reed-Solomon code has list size t{a) < 3/a for 
any a > ^\fdj^ . 

Setting log ^ = £/5 for concreteness, we can apply Theorem 3.1. Using a = 
e^/2, we see that as long as cheating provers have less than F’ — logt(a) — 
log(l/e) = — o(l)) bits of advice, then there exists a function / (given by 

some codeword) for which a cheater has at most a probability of e -I- 2 • 4“^ 
chance of breaking the protocol, whereas the honest prover requires advice i ■ k‘^ 
for some constant c. This in fact also requires d/2^ < e‘^/32, but this holds 
whenever 32£^“^ < 2^/®, i.e. for all sufficently large £. 



5.2 Simultaneously Time- and Advice-Bounded Provers 

To guarantee the security of the protocol in this setup we only require that / 
does not have a proof auditor which is simultaneously time bounded and advice 
bounded. 

In this section we show that such a proof auditor gives rise to variants of 
non-deterministic circuits which compute / on a non-negligible fraction of the 
inputs. We can use “hardness amplification” techniques to construct (non-linear) 
functions / which are hard on average from functions h which are hard on the 
worst case. This allows us to base the security of the Dwork-Stockmeyer protocol 
on more standard complexity assumptions in which the time it takes to compute 
the hard function is an arbitrary polynomial in its hardness: There are functions 
computable in E which cannot be computed on the worst case by small A3- 
circuits.® We remark that analogous assumptions are used in derandomization 
to obtain that AM = NP [13,18,20] and to construct extractors for samplable 
distributions [25]. 

Theorem 5.1. Suppose there exists a constant 7 and a function h = {/ig}, 
hs : {0, 1}^ — >■ {0, 1} computable in time such that h cannot he computed 

by E^-circuits of size 2^®, and assume the existence of a completely malleable 
cryptosystem. Then let n denote the length of the statement t, and k > n denote 
the security parameter. For every constant p > 1 the DS protocol is secure with 
soundness e*{k) = 17(2“^), dishonest prover bounds: T*{k) = a*{k) = k^ and 

® A Hi-circuit is a circuit which can have gates which compute a complete language 
in Ei (the i’th level of the polynomial hierarchy). 
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honest proven bounds T{k) = a{k) = for some fixed constant which does 

not depend on p. 



As the prover is both time bounded and advice bounded we can assume that 
all the parameters of the single valued proof auditor are bounded by some bound 
S. More precisely, that a-|-i?-|-A^-|-T < S where these parameters are taken 
from Definition 2.1. We call such an auditor S -bounded. We can also assume that 
the proof auditor isn’t randomized, that is R = 0. This is because the auditor 
can get the “best” random string r as additional short advice. The auditor is 
now a circuit A{x, w) of size S such that: 



Pr 



{3zG{0,1}^{A(x,z) 



(l,y)) 



y = fix)) 



><e) 



In words, on e fraction of the inputs x, there is a unique answer y such that 
every “non-deterministic guess” z on which A answers is labelled with y. We 
have no guarantee on how A behaves on the remaining cc’s. In particular it may 
be the case that for every z, the first output of A{x, z) is 0, or that there are 
contradictory answers (different z’s lead to different y's such that A{x, z) = 

(i.y))- 

We first observe that we can transform A into a circuit C (with an NP 
oracle) such that C does have a unique value for every input. 

Lemma 5.2 There is a circuit C with N P-oracle of size such that 

Pr JC(x) = f(x)] > e(l) 



Proof. Let Ai (resp. A 2 ) denote the first (resp. second) output of A. On input 
x, C uses its fVP-oracle to check if a: G {x|Vz.Mi(a;, z) = 0}. In that case x is 
not one of the good inputs on which A agrees with / and C answers arbitrarily. 
If X is good then C uses its A^P-oracle to find z such that A{x,z) = (l,y) and 
outputs y. □ 

We can now use a result by Trevisan and Vadhan [25] (see also [23]) which 
shows that if / is a low-degree multivariate polynomial then C can be trans- 
formed into a small circuit C' (with Zla-oracle) which computes / correctly on 
every input. 



Theorem 5.3. [25] Let F be a finite field (with some fixed, efficient representa- 
tion), and let f : F* ^ F be a polynomial of total degree at most d. If there is a 
Si-circuit C which computes f correctly on at least an e = c{i/d/\F\) fraction of 
points (for some constant c) then there is a Si+ 2 -circuit C with size polyi\C\,d) 
which computes f correctly everywhere. 

This was not possible in previous proofs in this paper. For example, in the advice 
bounded case R could be much larger than a, making it impossible to store the 
“best” random tape. 
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A nice feature of this result is that the size of C does not depend on e. This 
will allow us to use very small e which translates into negligible success proba- 
bility of the cheating prover. We now recall that any function can be extended 
into a low degree polynomial. 

Definition 5.1 (Low-degree extension). The low degree extension of a func- 
tion h : {0, 1}® — >■ {0, 1} into a multivariate polynomial f : F* ^ F over a field 
F with at leats 2®/‘ elements works by taking some subset H C F of size 2®/* 
and identifying FI* with {0,1}*- For every x G FI* we define f{x) = h{x). We 
can now interpolate and extend f into a polynomial in t variables with degree 
at most \F[\ in every variable. The total degree of such a polynomial is at most 
d= \H\t = 2'^/*t. 

It immediately follows that: 

— If /i is computable in time 2*^^®) then / is computable in time po/y(2®, log |F|). 

— A circuit which computes / induces a circuit which computes h. 

Lemma 5.4 For every constant 7 > 0 there exists constant 7' > 0 such that 
if there exists a function h = {hg}, hg : {0, 1}® — >■ {0, 1} computable in time 
2*^^®^ such that h cannot be computed by S^-circuits of size 2'*'®, then for every 
2 < a < 2® there is a function f = {fg}, fg : {0, 1}“® — >■ {0, 1}“® such that f is 
computable in time 2*^^®) and for every s and every NP -circuit C of size 2'>' ®.- 

Proof. We let fg be the low-degree extension of hg, taking t = c's/7 (where 
c' is a constant to be determined later), and |J^| = 2“®/*. We note that / is 
computable in time poly{2^ , log |F|) = 2'^^®^. By Theorem 5.3 any A^P-circuit C 
of size 2'*' ® which computes / correctly on e = ca/ ( 2®/*t) /2“®/* < 2-0{as) 
be transformed into a ^3-circuit C' of size poly {2'^ ®,2®/*t) which computes / 
everywhere. We choose 7' small enough and c' large enough so that the size of 
C is at most 2'^®. □ 

We conclude that the assumption of Lemma 5.4 is sufficient for the security 
of the Dwork-Stockmeyer protocol. 

Proof, (of Theorem 5.1) On inputs of length n and security parameter k > n we 
choose s = clog k for some constant c > 1 to be determined later. We use Lemma 
5.4 with a = k We obtain a function fg that takes inputs of length i = as = 
0(cklogk)^, is computable in time poly(/c) and is hard for A^P-circuits of size 
2'*' ® = k‘^'* . By Lemma 5.2, fg is hard for -bounded proof auditors where 

c' is the constant hidden in the O(-) notation in Lemma 5.2. By Theorem 2.1 the 
DS-protocol is (2~^*^“®) -|-2-4“*)-sound against provers with T* = T — 

It follows that for every constant p we can choose the constant c so that T* > k^ 

and e*{k) < 0(4“*). Note that the honest prover runs in time 

for some fixed constant that doesn’t depend on c. □ 
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Abstract. We investigate whether it is possible to obtain any mean- 
ingful type of zero-knowledge proofs using a one-message (i.e., non- 
interactive) proof system. We show that, under reasonable (although 
not standard) assumptions, there exists a one-message proof system for 
every language in NP that satisfies the following relaxed form of zero 
knowledge: 

1. The soundness condition holds only against cheating provers that 
run in uniform (rather than non-uniform) probabilistic polynomial- 
time. 

2. The zero-knowledge condition is obtained using a simulator that runs 
in quasi-polynomial (rather than polynomial) time. 

We note that it is necessary to introduce both relaxations to obtain a 
one-message system for a non-trivial language. We stress that our result 
is in the plain model, and in particular we do not assume any setup 
conditions (such as the existence of a shared random string). 

We also discuss the validity of our assumption, and show two conditions 
that imply it. In addition, we show that an assumption of a similar kind 
is necessary in order to obtain a one-message system that satisfies some 
sort of meaningful zero-knowledge and soundness conditions. 



1 Introduction 

The seminal notion of zero-knowledge proofs, i.e., proofs that yield no knowledge 
except the validity of the assertion proved, was introduced by Goldwasser, Mi- 
cali and Rackoff [15]. An interactive proof is said to be zero-knowledge if there 
exist a simulator that can simulate the behavior of every, possibly malicious, 
verifier, without having access to the prover, in such a way that its output is 
indistinguishable from the output of the verifier after having interacted with an 
honest prover. The idea behind this definition is the following: Assuming that 
a malicious verifier succeeds in doing something after having interacted with a 
prover, then by running the simulator, he could have done it himself, without 
any interaction with a prover. 

* * * Work done while studying in the Weizmann Institute of Science, Israel. 

^ Work done while visiting the Weizmann Institute of Science, Israel. 
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It has been shown that both interaction and randomness are necessary for 
zero-knowledge [14]. In this work, we investigate the possibility of a meaningful 
relaxation of zero-knowledge which does not require either interaction or random- 
ness from the verifier. Somewhat surprisingly, we show that it is in fact possible 
to obtain a non-interactive proof system that satisfies a meaningful variant of 
zero- knowledge. Specifically, under reasonable (although non-standard) assump- 
tions, for every L G NP, we construct a non-interactive system (P, V) (where V 
is a deterministic polynomial-time non-interactive algorithm) for proving mem- 
bership in L that satisfies the following properties: 

Perfect completeness. For every x G L and w which is a witness for x, 
V{x, P{x,w)) = 1. 

Soundness against Uniform Provers. For every (possibly cheating) uni- 
form probabilistic polynomial-time P*, the probability that P* outputs 
X ^ L and a proof tt such that V{x,tt) = 1 is negligible. (Note that this 
is a relaxation of the standard soundness property for arguments, that re- 
quire soundness against non-uniform polynomial-sized circuits.) 
Quasi-polynomial time simulation. There is a nP°^^^^°®"^-time algorithm S 
such that for every x G LD {0, 1}", and w which is a witness for x, S{x) is 
computationally indistinguishable (by polynomial-sized circuits) from 
P{x, w). (Note that this is a relaxation of the standard zero-knowledge prop- 
erty, that requires simulation by a polynomial-time algorithm.) 

Notes: 

— As observed below, both relaxations are essential in order to obtain a non- 
interactive proof system for non-trivial languages. There do exist stronger 
models such as the Common Reference String (CRS) Model [4] where one- 
message zero-knowledge proofs and arguments can be constructed without 
these relaxations. However, in this paper we concentrate on the plain model, 
(i.e., without any set-up assumptions or random oracles). 

— The quasi-polynomial time condition can be replaced with T(n)-time where 
T(-) can be any super-polynomial function.^ In this paper, for simplicity, we 
restrict ourselves to quasi-polynomial time simulation. We note that if one 
allows larger simulation-time, one can obtain a one-message zero-knowledge 
argument under quantitatively weaker assumptions than the ones we use. 
We observe below that to obtain one-message systems, it is essential that 
the running time of the simulator be longer than the running time allowed 
to a cheating prover. 

— As in the case of uniform (i.e., non-auxiliary input) zero-knowledge, the 
uniform soundness property is highly problematic when such a proof system 
is used as a subprotocol of a larger system. Also, the assumptions we use are 
somewhat non-standard, and so haven’t been extensively studied. Therefore, 

^ However, note that if T(n) is larger than the time it takes to compute a witness from 
a statement x G Lf] {0, 1}" then there is a trivial T(n)-time simnlator that works 
as long as the system is witness indistinguishable. 




On the Possibility of One-Message Weak Zero-Knowledge 123 



we believe that this result serves more to clarify the boundaries of what can 
and cannot be done in zero-knowledge, than to provide a new practical proof 
system. 

— As we show in Section 5, the non-standard assumption we use is essentially 
necessary to obtain a non-interactive zero-knowledge argument, even when 
allowing the two relaxations that we make. 

1.1 Related Works 

Several relaxations of zero-knowledge have been suggested in the literature: 

Witness Indistinguishability. The notion of witness indistinguishability was in- 
troduced by Feige and Shamir [12] as a relaxation of zero-knowledge. Intuitively, 
a witness indistinguishable proof is a proof where the view of the verifier is 
oblivious to the witness the honest prover uses. Recently the existence of one- 
message witness indistinguishable proofs with deterministic verifier was shown, 
under complexity theoretic assumptions [2]. Their result shows that, so called, 
NP-proofs, i.e. one- message proofs with deterministic verifiers, can be used to 
achieve certain security properties also for the prover. 

Zero-knowledge arguments. Brassard, Chaum, and Crepeau [5] introduced the 
notion of argument systems, which is a relaxation of the [15] notion of proof 
systems. In an argument system, it may be possible for a cheating prover to 
convince the honest verifier of a false statement, but only if it makes use of 
a strategy that cannot be feasibly computed. The usual definition of “feasible 
computation” is computation by a non-uniform circuit family. We note that 
for one-message systems, this condition is equivalent to the definition of proof 
systems, since if there exists a prover message that can convince the verifier of 
a false statement, a non-uniform prover strategy can have this message “hard- 
wired” in to it. In this paper, we define “feasible computation” as computation 
by a uniform probabilistic polynomial-time Turing machine. 

Weak Zero-knowledge. Recently simulation in quasi-polynomial time was explic- 
itly proposed as a meaningful relaxation of zero-knowledge [19]. The notion of 
quasi-polynomial time simulatability implies that a malicious verifier will only 
be able to succeed in tasks that are easy for quasi-polynomial time after having 
interacted with a prover. Intuitively, quasi-polynomial time simulatable proofs 
only “leak” information that could be calculated in quasi-polynomial time. Since 
in most applications, the simulation condition is not the desired end result, but 
rather the means to prove the security of protocols,^ it turns out that quasi- 
polynomial simulation suffices for most applications of zero-knowledge, provided 
one is willing to make quantitatively stronger hardness assumptions. In the fol- 
lowing we call proof systems that are simulatable in quasi-polynomial time weak 
zero-knowledge.^ 

^ An interesting exception to this rule is the case of deniable authentication [18,8]. 

^ Note that the notion of weak zero-knowledge used in this paper is different from the 
notion of weak zero-knowledge previously used in the literature (e.g. [16]). 
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Zero-knowledge with resource-hounded provers. Dwork and Stockmeyer inves- 
tigate the possibility of two-round zero-knowledge proofs for provers that are 
resource-bounded (to, say, running time n^) during the execution of the proto- 
col [10]. Their relaxation of zero-knowledge proofs is somewhat orthogonal to 
ours. Whereas their definition considers a weaker form of adversaries (namely 
adversaries that are resource-bounded during the execution of the protocol), 
we consider a weaker form of zero-knowledge. Both relaxations have in com- 
mon that the simulator is given a longer running time than the allowed running 
time of a cheating prover. We note that, as was observed in [10], one-message 
zero-knowledge proofs can not be obtained for time-bounded provers. 

1.2 Impossibility Results 

Goldreich and Oren [14] showed that any auxiliary input zero-knowledge (i.e., 
a system that is zero-knowledge with respect to non-uniform verifiers) proof or 
argument system for a non-trivial language must have at least three rounds of 
interaction. Recently, Barak, Lindell and Vadhan [1] showed that, under certain 
computational assumptions, even uniform zero-knowledge perfect-completeness 
proof systems for NP must have at least three rounds of interactions. It can also 
be shown that (under reasonable computational assumptions) it is impossible 
to obtain one-message zero-knowledge proofs even if both the zero-knowledge 
and the soundness conditions are required to hold only with respect to uniform 
algorithms.^ Thus to obtain one- message proof systems, one needs to allow the 
simulator to run in time which is long enough to break the soundness of the 
system (which we indeed do). As mentioned above (Section 1.1), this implies 
that the soundness property cannot hold against polynomial-sized non-uniform 
provers (since the existence of any cheating prover implies the existence of a 
polynomial- sized such prover). 

1.3 On the Cryptographic Assumptions Used 

Our construction relies on three assumptions: 

Assumption 1 There exists a one-message (i.e., non-interactive) WI proof sys- 
tem for every language L G NP. 

Recently, Barak, Ong and Vadhan [2] showed that such a system exists if 
there exist trapdoor permutations, and if E = Dtime(2‘^^"^) contains a func- 
tion of non-deterministic circuit complexity 2^^"). (See [2] for a discussion on 
the validity and reasonableness of this second condition). The protocol of [2] is 
obtained by derandomizing the Zaps construction of Dwork and Naor [9].^ 

This can be proven in essentially the same way as the proof of Theorem 3. 

® As noted in [9], Zaps can, in fact, be seen as a non- constructive, non-uniform one- 
message witness indistinguishable proof (i.e., the honest prover and verifier algorithm 
are implemented by non-uniform circuits). Nevertheless, since we are interested in 
giving a constructive protocol in the plain model, without a shared random string 
or non-uniformity, we need to rely on the protocol of [2]. 




On the Possibility of One-Message Weak Zero-Knowledge 125 



Assumption 2 There exists a non-interactive perfectly binding and computa- 
tionally hiding commitment scheme, such that given a commitment C{x), the 
plaintext x can he computed by a "-time algorithm, where n is the security 
parameter and c is some constant. 

Such a commitment can be constructed based on the existence of one-way 
permutations with subexponential hardness (using the well known commitment 
scheme of Blum [3] with a scaled-down security parameter, see [19] for more 
details). Alternatively, such a commitment scheme can be based on the as- 
sumption that there exists a subexponentially hard one-way function, and that 
E = Dtime(2‘^(")) contains a function of non-deterministic circuit complexity 
2^(”), using the commitment scheme constructed by [2]. 

Assumption 3 There exists a language Z\ G P and constants c\ < C 2 such that 

A is hard to sample in time For every probabilistic "-time al- 

gorithm A, the probability that A{\") G Z\ fl {0, 1}" and is negligible. 

A is easy to sample in time There exists a ” algorithm Sa 

such that for every n € N, Pr[S'/i(l") € An {0,1}"] > 1 — where 

/i(-) is a negligible function (i.e., p,{n) = ).^ 

As far as we are aware, this assumption is new, and therefore needs to be 
justified. We discuss its validity in Section 4. 



2 Definitions and Preliminaries 

Witness relations. Recall that a language L is in NP if there exists a 
polynomially-bounded and polynomial-time decidable relation Rl such that 
L = {x \ 3y s.t. (x,y) G Rl}- We call Rl the witness relation of L. We de- 
fine L{x) to be 1 if a; G L and 0 otherwise. 

Interactive proofs and arguments. We will use the notion of interactive proofs 
[15] (see [13] for the definitions). Interactive arguments [5] are defined in analogy 
with interactive proofs, with the only difference that the soundness condition 
only needs to hold against provers that can be implemented by a polynomial- 
sized circuit. A uniform-soundness argument is defined in an analogous way, 
where the soundness condition only needs to hold against provers that can be 
implemented by a uniform probabilistic polynomial-time Turing machine. 

Weak Zero-knowledge. Recall the standard notion of zero-knowledge proofs [15] 
(See [13] for exact definitions). We will use the following weaker form of zero- 
knowledge, following [19]: 

® Because A G P, the probability of success can be amplified, and so this term can be 
replaced with anything between 1/poly (n) and 1 — 
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Definition 1 We say that an interactive proof (or argument) (P,V) for the 
language L € NP, with the witness relation R^, is T(n)-simulatable if there for 
every probabilistic polynomial-time machine V* exists a probabilistic simulator 
S with running time bounded by such that the following two ensembles 

are computationally indistinguishable (when the distinguishing gap is a function 
in n = \x\) 

- for arbitrary y G Rl{x) 

— {S{x^ z)^ ,x^L 

That is, for every probabilistic algorithm D running in time polynomial in the 
length of its first input, every polynomial p, all sufficiently long x € L, all y € 
Rl{x) and all auxiliary inputs z G {0, 1}* it holds that 

\Pr[D{x, z, {{P{y),V* {z))(x))) = 1] - Pr[D{x, z, S{x, z)) = 1]| < 

We say that an interactive proof (or argument) is weakly zero-knowledge if it is 
nP°^yi°g(")-simulatable. 

Remark 1. Note that the definition used only requires that the output of the 
simulator is indistinguishable by polynomial-sized circuits (as opposed to the 
quasi-polynomial running time of the simulator). 

Extractable commitment scheme. As mentioned above, we define an extractable 
commitment scheme to be a (perfectly binding and computationally hiding) non- 
interactive commitment scheme, such that it is possible to extract the plain-text 
from the commitment scheme, in time . 

Witness indistinguishable proof systems. A witness indistinguishable (WI) proof 
system [12] for a language L with witness relation Rl, is a proof system such 
that for every x € L and w,w' G Rl, it is infeasible to distinguish between the 
view of any polynomial-sized verifier when interacting with the honest prover 
that gets w as auxiliary input, and between its view when it interacts with the 
honest prover that gets w' as auxiliary input. As mentioned above, we assume 
that there exists a one-message WI proof system for every L G NP. 

3 One-Message Weak Zero-Knowledge Argument for NP 

In this section we show a construction of a one-message weak zero-knowledge 
argument for NP with uniform soundness. 

The protocol which follows the Feige-Lapidot-Shamir paradigm [11], can be 
viewed as a derandomization of the two-round quasi-polynomial-time simulat- 
able protocol of [19]. In order to do so we rely on the one-message witness 
indistinguishable protocol of [2] . 
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3.1 The Protocol 

Let Z\ be a language in P that is hard to sample in probabilistic time ^ ", 
but easy to sample in time ^ " (where ci < C 2 ). Let Com be a commitment 
scheme extractable by a time ” ” algorithm, where we scale the parameters 
in such a way that cq < ci. We define the following protocol: 



Protocol n - One-message Weak ZK Argument for NP 

Common Input: an instance a; of a language L with witness relation 
Rl, 1": security parameter (we assume without loss of generality 
that both the witness size and the statement size are of length n) . 

The protocol: P — >■ V: cr = Com(0"), a one-message WI argument 2 
showing the statement 

Either x G L or a is a, commitment to a member of A 

More formally, the statement proven is that either x G L or that 
there exists y, r such that a = Com{y; r) and y G A. 



We have the following theorem: 

Theorem 1 Under Assumptions 1, H and 3, Protocol II is a one-message weak 
zero-knowledge argument with uniform soundness for NP. 

Proof We show that the above protocol in both sound against uniform proba- 
bilistic polynomial-time and simulatable in quasi-polynomial time. 

Soundness. Let us start by the soundness condition. We prove this using com- 
plexity leveraging [6]. Assume, for contradiction, that there exist a uniform prob- 
abilistic machine P* that produces an accepting proof c, z for a statement x L. 
Let y be the plaintext that is committed to by c. By the perfect soundness con- 
dition of the WI system, either x G L or y is a member of A. Since the protocol 
uses extractable commitments, there exist a machine E that can extract y in 
time Furthermore, since x ^ L, it must hold that y G A. Combining E 

with the prover P* , we obtain a uniform machine that outputs a member of A 
in time less than ^ ", contradicting the hard to sample condition of A. 

Simulation. Now, let us turn to quasi-polynomial time simulation. On input x, 
the simulator will obtain a member y G A ra. time ^ ", compute a commit- 
ment a to y and then prove in the WI system the true statement that either 
(x,y) G Rl or y G a. It remains to show that the output of the simulator is 
indistinguishable from the output of the honest prover. This is done through 
a standard hybrid argument. That is, for every (x,w) G Rl, we consider an 
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intermediate hybrid H = {Com{y),z} where y is the member of A obtained 
by the simulator, but z is a WI proof computed of the combined statement 
using the witness w for the fact that x G L. The hybrid H is computation- 
ally indistinguishable from the simulator’s output by the hiding property of the 
commitment scheme, and is computationally indistinguishable from the honest 
prover’s output by the WI property of the WI system. | 

Remark 2. We note that the output of the simulator is only polynomial-time in- 
distingushable from a valid transcript. By using quantitatively stronger assump- 
tions, such as the existence of WI proofs, where indistinguishability is guaran- 
teed against quasi-polynomial time, the output of the simulator can be made 
indistinguishable for time T'(n) = ”, for some constant c. Note, however, 

that in order to prove soundness, we require that the running time T'(n) of 
the distinguisher is strictly smaller than the running time of the simulator. It 
is an interesting open problem to come up with a construction (under stan- 
dard/reasonable assumptions) that allows running time of the distinguisher to 
be greater than the running time of the simulator. 



4 On the New Complexity Theoretic Assumption 

In this section we discuss the new complexity theoretic assumption that we 
use (Assumption 3). We show that Assumption 3 is implied by two different 
assumptions. Furthermore, in Section 5 we show that a variant of Assumption 3 
is necessary to obtain a one-message weak zero-knowledge uniform-soundness 
argument. 



4.1 Basing Assumption 3 on Uniform Hash Functions 

In this section, we observe that Assumption 3 is implied by the existence of 
a hash function that is collision resistant against subexponential-time uniform 
algorithms. That is, if there exists a function H (computed by a polynomial- 
time algorithm) and a constant e > 0 such that \H{x)\ = -1^, but for every 
2^ algorithm A, the probability that A outputs a pair x ^ x' G {0, 1}^ such 
that H{x) = H{x'), is negligible. Note that H is a, single function, and not a 
collection of functions, and so a non-uniform circuit will be able to output such 
a collision. 

Define A = |(l”,a:,x') \ x ^ x' G {0,1}'°®^^'” and H{x) = H{x')}, and 
let k = n. We see that if A is an algorithm that runs in time less than 

2 k _ 2iog " = then A will not be able to output a member of A. On 

the other hand, one can output a member of A by running the trivial collision 
finding algorithm that runs in time 2^ = . 

We note that one candidate for such a uniform hash function may be obtained 
from the AES cipher [7], since (unlike DES), it uses algebraic components that 
can be scaled to arbitrarily large input lengths. 
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4.2 Basing Assumption 3 on the Hardness of NE n coNE 

In this section, we show that Assumption 3 is implied by the existence of a unary 
language L in NPflcoNP that is hard for subexponential-time algorithms. Note 
that we only require worst-case hardness.^ However, we do require that for every 
subexponential algorithm, the set of input lengths, for which the algorithm fails 
to decide the language, will be sufficiently “dense” in the sense that for every 
such algorithm A, and every large enough n G N, there exists k G (2", 2”+^] 
such that A(l^) is different from L(l^). An equivalent way to formalize this 
requirement, is that there exists a (binary) language L in NE fl coNE (where 
NE = Ntime(2‘^^"^) is the class of all languages decidable in non-deterministic 
exponential-time) that is worst-case hard for doubly exponential-time algorithms, 
in the sense that for every such algorithm A, and every large enough n G N, 
there exists an input x G {0,1}” such that A{x) yf L{x). Thus, this can be 
looked up as a “scaling up” of the assumption that NP fl coNP ^ SUBEXP 
(where SUBEXP = rie>oDtime(2” ) is the class of all languages having a 
subexonential algorithm).® 

Theorem 2 Suppose that there exists a unary language L G NP fl coNP and 
e > 0 such that for every 2" -time probabilistic algorithm A, and every suffi- 
ciently large i G N, there exists k G (2*, 2*+^] such that A(U) yf T(l^). 

Then, there exists a hard-to-sample language A. 

Proof Sketch: Let L be the assumed language, and assume (using padding if 
necessary) that for every k the witness, that is a member, or is not a member 
of L, is of length k. We define the language A in the following way: the tuple 
(1™, T,W 2 i + l,b 2 i + l,W 2 i+ 2 ,b 2 i +2 ■ ■ . , W 2 *+i , & 2 <+i ) IS m A if 



1. i = log(log^/^ m) 

2. For every k G (2*, 2*+^], Wk is a witness that L(l^) = bk- 

Firstly, note that A is indeed in P. Also note, that an element of A can be 
obtained by finding each of the 2® witnesses using exhaustive search (taking at 
most 2^ steps which is poly-logarithmic in m.) 

Finally, we claim that every TO*°®”‘-time algorithm A will fail to output a 
member of A starting with 1™ for all (sufficiently large) m’s.® Indeed, any such 
algorithm can be converted into an 2" -time decision procedure B for the original 
language L in the following manner: On input 1*, Algorithm B will find i such 

^ Unfortunately, there is no known complete language for NP n coNP, which means 
that, unlike the case in [17] and [2], we do not know of a fixed language Lo G 
NP n coNP that satisfies this condition, as long as some language L satisfies it. 

® Note that we assume hardness with respect to probabilistic algorithms. However, 
under standard complexity assumptions, probabilistic algorithms are equivalent to 
deterministic algorithms (c.f., [17]). 

® Note that formally, A’s job is to output a member of T n (0, 1}™. However, since 
any member of A starting with F” is of length m -|- polylog(m) (and this length is a 
fixed function of m), these two conditions are equivalent. 
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that k G (2\ 2*+^] and compute m such that m = Then, it will run A to 

obtain a member (1™, 1*, W 2 i+i, &2*+i) ■ • ■ ) iC2t+i , 62*+i) of A, and then output bk- 
Note that this takes at most = 2*°® ™ steps which is less than 2^ steps. 

■ 

Remark 3. Another condition that implies Assumption 3 is the existence of a 
language in NE = Dtime(2°^")) that is hard on the average, in the sense that 
any doubly-exponential algorithm will succeed on at most a | + (5 fraction of the 
inputs (with <5 < i). Loosely speaking, given such a language L, one can define 
a language A of witnesses for a | — (5-fraction of the inputs of a particular length 
(note at least | — 5-fraction of the inputs of any length must belong to L for 
it to be hard on the average). An algorithm to sample a member of A can be 
converted into an algorithm that decides L with a better than ^ + S advantage. 
Again, this is equivalent to the existence of a hard on the average unary language 
in NP. 

5 On the Necessity of the Assumption 

In this section we show that the existence of one-message weak zero-knowledge 
arguments for NP implies a slightly weaker variant of Assumption 3. 

Theorem 3 Suppose that there exist one-to-one one-way functions hard against 
quasi-polynomial-time algorithms and that there exists a one-message weak zero- 
knowledge argument with uniform soundness for every L G NP. Then, there 
exists a language A that is hard to sample by polynomial-time algorithms, and 
that can be sampled by a quasi-polynomial-time algorithm. 

Before proving this theorem, note that its conclusion is only weaker from 
Assumption 3 in that that the language is hard to sample by polynomial-time 
algorithms, and not by ^ "-time algorithms. 

Proof Sketch: Let / be a one-to-one one-way function, and let h be its hard- 
core bit [20]. We define the following NP language L: L = {{f{x),h{x)) \ x G 
{0, 1}*}. Under the assumptions of the theorem, there exists a one-message weak 
zero- knowledge uniform-soundness argument system for L. Let V be the verifier 
algorithm for this system. We define the language A as follows 

^ = {{yib,TT,x) I y = f{x),b^ h{x),V{y,b,7T) = 1} 

that is, A is the language of “false proofs” (i.e. proofs for false statements that 
pass verification) . Clearly, the uniform soundness condition of the zero-knowledge 
system implies that it is infeasible for uniform probabilistic-time algorithms to 
sample a member of A. However, we claim that there is a nP°^^*°®*^"^-time algo- 
rithm A to sample a member of A. On input 1", Algorithm A will choose x 
at random from {0, 1}", and b at random from {0, 1}, and output (/(x), 6 , tt, x) 
where tt is obtained by applying the simulator of the system to the statement 
{y, b). We claim that 
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1. The probability that V{f{x),b,Tr) = 1 is very close to 1. Indeed, otherwise, 
the simulator combined with the verifier will be a distinguisher between the 
distribution (/(x),6) and the distribution (f{x),h{x)). 

2. The probability that b ^ h{x) is equal to | (since the choice of b is indepen- 
dent from the choice of x). 

We see that A outputs a member of A with probability very close to | . Since 
membership in A can be verified, this probability can be amplified to 1 — 
(Actually, under computational assumptions, this can be derandomized and so 
A can output a member of A with probability 1.) | 

Acknowledgments. We wish to thank Johan Hastad, Oded Goldreich, and 
Avi Wigderson for helpful discussions. 
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Abstract. We present a general method to prove security properties of crypto- 
graphic protocols against active adversaries, when the messages exchanged by the 
honest parties are arbitrary expressions built using encryption and concatenation 
operations. The method allows to express security properties and carry out proofs 
using a simple logic based language, where messages are represented by syntactic 
expressions, and does not require dealing with probability distributions or asymp- 
totic notation explicitly. Still, we show that the method is sound, meaning that 
logic statements can be naturally interpreted in the computational setting in such 
a way that if a statement holds true for any abstract (symbolic) execution of the 
protocol in the presence of a Dolev-Yao adversary, then its computational inter- 
pretation is also correct in the standard computational model where the adversary 
is an arbitrary probabilistic polynomial time program. This is the first paper pro- 
viding a simple framework for translating security proofs from the logic setting 
to the standard computational setting for the case of powerful active adversaries 
that have total control of the communication network. 



1 Introduction 

Cryptographic protocols are a fundamental tool in the design of secure distributed com- 
puting systems, but they are also extremely hard to design and validate. The difficulty 
of designing valid cryptographic protocols stems mostly from the fact that security 
properties should remain valid even when the protocol is executed in an unpredictable 
adversarial environment, where some of the parties (or an external entity) are maliciously 
attempting to make the protocol deviate from its prescribed behavior. 

Two approaches have been developed to formulate and validate security properties: 
the logic approach and the cryptographic approach. The logic approach is based on 
the dehnition of an abstract security model, i.e., a set of rules that specify how the 
protocol is executed and how an adversarial entity may interfere with the execution of the 
protocol. Within this model, one can prove that it is not possible to reach a configuration 
that violates the desired security property, using the axioms and inference rules of the 
system. So, in the logic approach cryptographic primitives are axiomatized and treated as 
abstract operations, rather then being explicitly defined. A different approach is taken by 
(complexity theory based) modern cryptography, where basic cryptographic primitives 

* Research supported in part by NSF Grants CCR-0093029 and CCR-03 13241 
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are explicitly constructed, and proved to satisfy some well defined (computational) 
security property (possibly under some computational hardness assumption). Then, these 
primitives are combined to build higher level protocols whose security can be formally 
proved within a general computational model. 

The cryptographic approach is widely considered as the most satisfactory from a 
foundational point of view, as it guarantees security in the presence of arbitrary (prob- 
abilistic polynomial time) adversaries. Unfortunately, this powerful adversarial model 
makes also protocol analysis a very difficult task. Typical cryptographic security proofs 
involve the definition of complex probability spaces, the use of asymptotic notions like 
polynomial time computability and reductions, negligible functions, etc., and the accu- 
rate accounting of the success probability of all possible attacks. Proving security of a 
protocol using the logic approach is comparatively much simpler: once the rules govern- 
ing the execution of the protocol are established, security can be easily obtained using 
the axioms and inference rules of logic. The advantage of the axiomatic approach is 
also its main weakness: since security is axiomatized (as opposed as being defined from 
more basic notions) it is usually hard to assess the significance of a security proof in 
this framework. Proving security in a certain logic framework only means that a formal 
statement (expressing the desired security property) follows from a given set of axioms 
that aim to model the security features of typical cryptographic primitives used in the 
implementation of the protocol. However, since the security axioms do not typically 
hold true in realistic models of computation, it is not clear if the formal proofs allow to 
assert anything about concrete executions of the protocol. 

Recently, there has been growing interest in trying to bridge these two approaches, 
with the ambitious goal of coming up with logic systems together with computational 
interpretations of logic formulas in the standard computational setting, so that if a certain 
statement can be proved within the logic, and the cryptographic protocol is implemented 
using primitives that satisfy standard cryptographic security properties, then the compu- 
tational interpretation of the security statement is also valid in the computational setting. 
This allows to prove that a protocol meets strong security properties (as typically con- 
sidered by the cryptography and complexity theory community), while retaining the 
simplicity of the logic based approach in defining security and carrying out proofs. 

An important step toward bridging the gap between these two approaches, while 
retaining the simplicity of the logic formulation, has been made by Abadi and Rogaway 
in [2], where a simple language of encrypted expressions is defined, and it is proved 
that if two expressions are equivalent according to a (syntactically defined) simple logic 
formalism, then also their natural computational interpretations are equivalent according 
to the standard notion of computational indistinguishability. The logic of [2] is now well 
understood from a computational point of view, with completeness results [18] showing 
that if a sufficiently strong encryption scheme is used, then the any two expressions are 
computationally equivalent if and only if they can be proved equivalent within the logic, 
and further refinements [12] exactly characterizing the computational requirements on 
the encryption scheme under which this equivalence holds true. However, the logic model 
of [2,18,12] is extremely simple, and allows to describe (see [1]) only the simplest kind of 
attacks, where a set of parties is communicating over a public network, and an adversary 
is monitoring their conversations in the attempt of extracting additional information. 
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Such an adversary, that can observe the transmitted messages, but cannot otherwise alter 
their content or flow, is called a passive adversary and is usually considered inadequate 
in most applications. 



1.1 Our Contribution 

In this paper we present a logic framework that allows to model active adversaries, that 
beside eavesdropping all network communications, can also drop, modify, reroute, or 
inject messages in the network. As in [2] , we consider protocols where the parties (attempt 
to) communicate by exchanging messages that are built from a set of basic elements 
(like nonces, keys and identifiers) using encryption and concatenation operations, but, 
differently from [2], we give to the adversary total control over the communication 
network. Despite the complications introduced by active attacks, we show that it is still 
possible to carry out cryptographically meaningful proofs within a model that retain the 
simplicity of the Abadi-Rogaway logic. In particular, we consider two possible execution 
models for the protocols: 

- a concrete model, where the protocols are naturally implemented using any en- 
cryption scheme (satisfying the standard cryptographic security notion of indistin- 
guishability under chosen ciphertext attacks) and executed in the presence of an 
active probabilistic polynomial time adversary, and 

- an abstract model, where the protocol is executed symbolically, in the presence of 
an abstract adversary that may modify or forge messages, but only using a set of 
abstract rules when decomposing and assembling messages. 

The rules that govern the symbolic execution of the protocol and the behavior of 
abstract adversaries originate in the work of Dolev and Yao [10], and are common to 
most logic based approaches to protocol analysis. 

We remark that although we consider protocols written in an abstract language of 
symbolic expressions, we are ultimately interested in the security properties of the proto- 
col when implemented using standard (computational) cryptographic algorithms, in the 
presence of probabilistic adversaries that may toss random coins, and perform different 
actions based on the bit representation of keys and ciphertexts observed on the net- 
work. This concrete execution model, where a probabilistic polynomial time adversary 
has full control of the communication network and parties communicate by exchanging 
bit-strings is exactly the execution model used in most computational works about cryp- 
tographic protocols, e.g., the treatment of mutual authentication protocols by Bellare et 
Pointcheval and Rogaway [7,8,6]. 

Our main technical result shows that there is a close correspondence between ab- 
stract executions of the protocol in the presence of a Dolev- Yao adversary, and the 
execution of the implementation of the protocol in the presence of an arbitrary polyno- 
mial time adversary. This correspondence provides a general methodology to design and 
validate security protocols in a cryptographically meaningful way, but using simple ab- 
stract (symbolic) adversarial and execution models. Informally, our main technical result 
shows that with overwhelming probability (over the random coin tosses of the protocol 
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participants and the probabilistic polynomial time adversary) any state' reached by the 
parties running the protocol can be represented (using an injective mapping function) as 
an abstract state in the symbolic execution of the protocol in the presence of a Dolev- 
Yao adversary. This connection is used to establish the computational security of the real 
protocol as follows: 

- Express the security property S' as a set of “secure” states in the concrete execution 
of the protocol, and find a set of abstract states A such that any state represented by 
elements of A also belongs to S. 

- Prove, symbolically (i.e., within the abstract Dolev-Yao model), that no formal 
adversary can make the honest parties ever reach a state outside A. 

- Conclude that no concrete adversary can violate the security property S with non- 
negligible probability. 

Notice that both the protocol design and analysis is performed within a logic framework 
where probability is not explicitly used. A concrete implementation of the protocol and 
computational proof of security is automatically obtained using our technical result: 
since real executions can be mapped to valid symbolic executions with overwhelming 
probability (say 1 — e), if there is a concrete polynomial time adversary that in a real 
execution brings the system in a state outside S with non-negligible probability (say 
bigger than e), then there must exists a symbolic execution that brings the system to a 
state outside A. 



1.2 Related Work 

Bridging the gap between the computational and logic treatment of cryptography has 
been the subject of many recent research efforts. The works which are more closely 
related to our paper are [2,18,1,12], which present a simple logic for reasoning about the 
security protocols written in a language similar to ours, but only for the case of passive 
adversaries. In this line of work, our paper is the first one to show how to deal with more 
general active attacks. 

Other approaches to bridging the logic and computational models of cryptography 
have also been considered in the literature, but they all seem considerably more complex 
than [2,18,1,12]. In [16] the notions of probability, polynomial bounded computation, 
and computational indistinguishability are incorporated in a process calculus, and se- 
curity is defined in terms of observational equivalence on processes. Still a different 
approach has been considered in [4,3], which essentially provides a cryptographic im- 
plementation of Dolev-Yao terms, within a general framework where security is defined 
using a simulation paradigm similar to the universal composability framework of [9]. 
Another seemingly related work is [ 1 3 , 1 4] , which tries to give a cryptographic definition 
of secure encryption that captures the intuitive idea of Dolev-Yao adversaries. 

* By state we mean the collective memory content of the parties executing the protocol. In fact, 
our result establishes a connection between abstract and concrete executions not only for single 
states of the system at a given point in time, but for the entire sequence of states the system 
goes through. 
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In a recent paper [15] Impagliazzo and Kapron introduce a logic which (similarly to 
[2,18,1,12]) allows to reason about computational indistinguishability in a cryptograph- 
ically sound way without the explicit use of asymptotics and probabilities. The logic 
of [15] is much more powerful than the one of [2,18,1,12], allowing the use of limited 
forms of recursion. The results in [15] can be viewed as complementary to ours, as they 
are mostly aimed at analyzing the security of low level cryptographic operations (e.g., 
pseudorandom generators), whereas in this paper we consider the analysis of higher 
level protocols based on secure cryptographic primitives. 

The formal execution model used in this paper is closely related to the trace based 
framework of [19], and the strand space model of [11]. Proofs in the latter model have 
been successfully automated [21]. We view our work as an important step toward giving 
a solid cryptographic foundation to automated tools like the one described in [21]. 



2 Preliminaries 

For a natural number n we will denote by [n] the set {1, 2, ..., n}, and by [n] the set 
{0} U [n]. As usual, we will say that a function iy{-) is negligible if it is smaller than the 
inverse of any polynomial (provided that the input is large enough). 

Security of encryption in the multi-user setting. As usual, an asymmetric en- 
cryption scheme AS = (/Cg, .P, 27) is given by algorithms for key generation, encryption 
and decryption. The key generation function is randomized and takes as input the se- 
curity parameter rj and outputs a pair of public-secret keys (pk,sk). The encryption 
function is also randomized, and we denote by £ipk(m; r) the process of computing the 
encryption of message m using random coins r. The decryption function takes as input 
a secret key and a ciphertext and returns the underlying plaintext. It is mandated that for 
any message m and random coin tosses r,m = 'Ds\^{E{m; r)). 

In this paper we use a variant of the standard notion of indistinguishability against 
chosen-ciphertext attack [20], in short IND-CCA. More precisely, we use the extension 
of this security notion to the multi-user setting, introduced (and proved equivalent to the 
standard dehnition) by Bellare, Boldyreva and Micali in [5]. The definition is as follows. 

We hrst dehne a left- right selector as a function LR defined by LR(mo ,mi,b) = Wfc 
for all equal-length strings mo, mi and for any bit b. We measure the “strength” of en- 
cryption scheme AS when simultaneously used by a number of n parties by considering 
the pair of experiments for 6=0,1. Each experiment involves an ad- 

versary A and is as follows. First, n pairs of keys (pk^, sk^) are generated by running 
the key generation algorithm on input the security parameter rj, each time with fresh 
coins. Then, the adversary is given as input the set of n public keys pkj^, ..., pk„, and is 
provided access to a set of n encryption oracles {fpfc^(LR(-, •, 6))}ig[„j. The adversary 
is also provided access to a set of n decryption oracles {27skj(-)}iG[n]^ where sk^ is the 
secret key associated to pk^. The adversary can query any of the encryption oracles with 
any pair of messages (mo, mi) (and obtain as result the ciphertext corresponding to mt,) 
and also, it is allowed to query the decryption oracles. The adversary is forbidden how- 
ever to submit to decryption oracle 27skj (•) ^ ciphertext which was obtained as result of 
a query to encryption oracle Ep]^. (LR(-, •, 6)). At some point, the adversary has to output 
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a guess bit d. The adversary wins ifd = b and looses otherwise. We define the advantage 
of the adversary in defeating IND-CCA security in an environment with n users as 



Adv™(,y) = Pr 



TTV n— cca— 1 

^^PA£,A 



iv) = 1 



— Pr 



■pv n— cca— 0 



iv) = 1 



and say that the encryption scheme is n-IND-CCA secure if is a negligible 

function for any probabilistic polynomial time adversary Ac- The following theorem 
proved [5] is useful in deriving our results. 

Theorem 1. If A£ is an IND-CCA encryption scheme, then for any polynomial n(-), 
A£ is n-IND-CCA secure. 



3 Two-Party Protocols 

In this section we describe a simple language for defining multi-party protocols, and 
how such protocols are executed. For simplicity, we concentrate on two party protocols, 
where the two parties alternate in the transmission of messages. In Section 6 we explain 
how to extend this setting to multi-party protocols. 

3.1 Protocol Syntax 

A simple way to represent a large class of two-party protocols is by a sequence of 
messages mi, . . . , m„, where mi, m3, m^, . . . are the messages sent by the first player 
(called the initiator), and m2, m4, niQ, . . . are the messages sent by the second player 
(called the responder). We consider protocols where the messages are arbitrary expres- 
sions built from basic values (like the names of the parties involved in the protocol, 
randomly generated nonces and cryptographic keys) using concatenation and encryp- 
tion operations. Formally, each message is represented by a term generated according 
to the following grammar: 

Term ::= Id | Key | Nonce | Pair | Ciphertext 
Pair ::= (Term, Term) 

Ciphertext ::= {TermjKey 

where Id, Key, Nonce are three sets of basic symbols corresponding to the party’s 
names (e.g., Id = {/, R} for two party protocols where I represents the initia- 
tor and R the responder), Key = {Kj,Kn} their public keys, and Nonce = 
{Xi,X 2 , . . . , Yi, I2J • ■ •} represent nonces generated at random by the protocol par- 
ticipants. For example, the following sequence of terms 

NSL = ({(/, X,)}k^,{{R, (Ai, Yi))}k„ {Yi}kJ (1) 

represents the well known Needham-Schroeder-Lowe protocol [17]. In this protocol, 
the initiator first sends its identity I followed by a freshly generated random nonce 
Xi, encrypted under the responder public key. The responder replies with its identity. 
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followed by nonce Xi and a freshly generated nonce Yi, all encrypted under the initiator 
public key. Finally, the initiator concludes the protocol hy re-encrypting nonce Yi under 
the responder public key, and transmitting the corresponding ciphertext. 

We remark that protocols are a compact way to represent two distinct programs 
(the one executed hy the initiator, and the one executed by the responder), and the way 
they interact. For example, the initiator program corresponding to protocol (1) is the 
following: 

1. Generate a random nonce Xi, encrypt the pair (/, Xi) under key Kji, and transmit 
the ciphertext. 

2. After receiving a message m 2 , try to decrypt m 2 and parse the plaintext as 
{R, (Xi,Yi)), i.e., check that the first and second component of the message are 
the intended recipient and the nonce generated in the hrst step. 

3. Encrypt the value Yi received in step 2 under Kji, and send it to the receiver. 

Similarly, the responder program waits for a message mi, and tries to decrypt mi and 
parse the plaintext as {I,Xi). If successful, generate a random nonce Yi, and send 
{R, {Xi, Yi)) encrypted under the initiator key Kj. 

In the cryptographic setting, where protocols are executed in a malicious environ- 
ment, it is important to specify what happens if anything goes wrong during the execution 
of a program. For example, if decryption fails, or the decrypted message does not have 
the expected pattern. We assume that if at any point a party detects a deviation from the 
protocol, then the party immediately aborts the execution of its program. 

Not every sequence of messages is the description of a valid protocol. For exam- 
ple, {{Xi}Kn {Xi}kr) is not a valid protocol because the responder, after receiving 
{Xi}ki^ cannot decrypt the message and recover the nonce Xi to be retransmitted in 
the second message {Xi}Kn- In particular, we assume that the messages transmitted 
hy each party can be computed from the previously received messages in the Dolev- 
Yao model, which will be formally defined when describing the adversary. In order 
to simplify the presentation we also assume that the initiator (resp. responder) encrypt 
messages only under the responder (resp. initiator) public key. In particular, this implies 
that the messages received hy a party can he immediately and completely decrypted. We 
remark that our techniques seem to extended to more complex protocols, where parties 
generate and transmit new keys on the fly (e.g., in the case session keys to be used in 
hybrid encryption schemes), provided that some reasonable restrictions are imposed on 
their use. We give some further discussion in Section 6. 



3.2 Programs and Their Execution 

Notice that the expressions, typically referred to as “messages”, in the description of a 
protocol are not the actual messages being transmitted during the execution of the proto- 
col, but rather the “instructions” to be executed by a party to compute the corresponding 
messages. We will refer to this kind of expressions as abstract message descriptions. 
For example, the expression “I” does not mean that the symbol “I” should be transmitted 
literally, but the identity of the initiator should be transmitted. Similarly, expressions 
of the form X\ calls for the generation and transmission of a new nonce, rather than 
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the transition of symbol Xi. Below, we define how messages are computed according 
to a given protocol. For the sake of readability, we only give an informal description. 
We consider two different ways to execute a protocol: symbolic execution, and concrete 
execution. 

In a symbolic execution, messages are symbolic expressions, built according to 
grammar Term starting from basic symbols Id = {A, B,C, . . .} representing the 
parties, nonces Nonce = {N, M, . . .}, and keys Key = Ka, Kb, Kq, ■ • Messages 
are computed in the obvious way: in the case of symbolic executions, symbols I and R are 
replaced by the identity of the initiator and responder, Ki,Kb with their respective public 
keys, and nonce identifiers Xi, Yi are set to new nonces from Nonce = {N, M , . . .} 
the first time they occur in the execution of a protocol, or to some value recovered 
from previous messages. Formally, at every stage of the execution of a protocol, the 
local state of a party is represented by a program counter pointing to which message 
should be received next, and a partial function <P mapping the identifiers I, R, Xi,Yi, . . . 
occurring in the program executed by that party to corresponding symbolic values from 
A, B,C, . . . , N, M, . . .. When a message is to be transmitted, the function is used 
to evaluate the corresponding expression in the program text. When a new message is 
received, the function <P is first used to check the validity of the message, and then 
extended with additional bindings obtained from unifying the received message with the 
expression in the program text. Notice that each symbol (e.g., Xi) in the description of 
a protocol corresponds to two different variables, one stored with the protocol initiator 
and one with the responder. These two variables are usually bound to the same value. 
However, when the protocol is executed in the presence of an active adversary that 
may alter the messages transmitted and received by the parties, this is not necessarily 
the case. So, it is important to distinguish between the variable identifier Xi used in 
the description of a protocol from the two variable instances associated to the parties 
executing the protocol (as well as variable instances corresponding to different executions 
of the same protocol by other pairs of parties.) 

In a concrete execution, messages are bit-strings, obtained running the key gener- 
ation, encryption and decryption algorithms used in an actual implementation of the 
protocol. This time, when a nonce identifier firstly occurs in the execution of a protocol, 
the corresponding party generates a random bit string (of length equal to some security 
parameter). Public keys Ki are mapped to bit-strings using the key generation algorithm 
of some specified encryption scheme, and complex expressions are evaluated running 
the encryption algorithm, and encoding pairs in some standard way. We always assume 
that the bit representation of an expression allows to uniquely determine its type, and 
parse it accordingly. This time, the state of a party is given by a program counter, and a 
partial function mapping the variable identifiers to corresponding bit strings. As before, 
these bindings are used both to evaluate the messages to be transmitted, and to parse the 
received messages, with the main difference that this time parsing received messages 
involves the execution of the decryption algorithm, and computing the answers involves 
running the (randomized) encryption algorithm. 
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3.3 Adversaries, Execution Environments, and State Traces 

We consider the concurrent execution of several instances of a given protocol. The 
execution of each protocol instance is called a “session”. We assume that the parties 
executing a protocol communicate using a network that is under the total control of 
some adversary A. The adversary can sniff messages off the network, send messages 
to any session of the protocol run by any party and obtain in return the corresponding 
answer. We do not assume that the communication is guaranteed, i.e. once the adversary 
obtains a message from a certain session, it may choose to never deliver the message to 
the intended destination, or may deliver a different message spoofing the sender identity. 
We also model the collusion of some parties with the adversary by letting the adversary 
choose a set C of parties and obtain all their private keys. 

We model an adversarially controlled communication network by letting all the 
parties executing the protocol send and receive messages to and from the adversary. For- 
mally, we let the adversary interact with an oracle that runs the honest parties programs. 
The adversary may issue the following commands to the oracle: 

1 . new(A, B) : start the execution of a new instance of the protocol, with party A acting 
as the initiator, and party B acting as the responder. In response to this message, the 
oracle picks a new session identifier s, starts the execution of a new instance of the 
protocol run by A and B, and returns the session identifier s together with the first 
message transmitted by party A to the adversary. 

2. send{s : I,m): send message m to the initiator of session s. Update the initiator’s 
state accordingly, and return its response to message m to the adversary. 

3. send{s : R,m): send message m to the responder of session s. Update the responder 
state accordingly, and return its response to message m to the adversary. 

As for the protocol execution, we consider two different adversarial models: an 
abstract adversary that communicates with the parties via symbolic expressions, and 
a concrete one that uses the bit-strings obtained by running some specific encryption 
algorithm. 

The abstract adversary, usually called a Dolev-Yao adversary, is constrained in the 
way it can compute new messages from messages it already knows, as to capture the 
security of the cryptographic operations (in our case asymmetric encryption and gen- 
eration of random nonces.) We first give the formal definition and then we explain the 
intuition behind it. Consider a set M representing the messages that the adversary knows 
at a certain point during its execution. This set includes the messages that the adversary 
had already received from honest parties, as well as some messages which the adversary 
is assume to be able to compute (for instance new nonces). In particular, M contains 
the set of identities Id = {Ai,A 2 , . . .}, the set of all public keys Keys = Ki,K 2 , ■ ■ ■ 
and a set Nonce of nonce symbols denoting the nonces produced by the adversary, and 
(depending on the setting) a set of identities C that model corrupted parties that collud- 
ing with the adversary. The set of messages that the adversary can compute from M, 
denoted closure(C', M) is defined as the smallest set such that 



1. M C closure(C', M) 

2. If Ti,T 2 G closure(C,M) then (Ti,T 2 ) G closure(C', M) 
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3. If (Ti,T 2 ) G closure(C', M) thenTi,T 2 G closure(C', M) 

4. If T G closure(C, M) then {T}k G closure(C', M) for all K G Keys 

5. If {T^Ki G closure(C', M) and Ai € C then T G closure(C', M) 

Most of the constraints above are rather self-explanatory. The hrst three, say that the 
adversary can construct new messages which are messages that it already knows (1), are 
built by pairing messages it knows (2) splitting a pair that it knows (3) or encrypting a 
message it knows with a key that it knows (4). The fifth requirement which captures the 
security of encryption, states that if an adversary knows the decryption key corresponding 
to the key used to encrypt a certain message, then the adversary can recover that message. 
Notice that this definition precludes the adversary from recovering the plaintext if it does 
not know the decryption key. 

The real adversary is usually constrained to run in (probabilistic) polynomial time, 
but can otherwise, perform any kind of operations. This is the standard adversary used in 
computational treatments of authentication and other cryptographic protocols. The real 
adversary also issues commands of the form new(i,j), send{s : I,m) and send{s : 
R, m) to the oracle environment, but this time m can be an arbitrary bit string. Similarly, 
the oracle replies with bit strings computed by the parties using their keys and the 
encryption function. 

In the sequel we will denote by T the set of symbolic expression used in a formal 
execution and by the set of all bit-strings that appear in a concrete execution (parame- 
terized by the security parameter r\). So, T is built up from a set of basic symbols 
(containing identities, keys and nonces) by using the grammar Term. Similarly, Cr^ is 
built up from a set of basic bit-strings by pairing and encryption. Here, pairing 

is assumed to be done via some standard (invertible) encoding, and encryption is done 
by running the encryption algorithm of a fixed concrete asymmetric encryption scheme 
AE. The oracle environments for the formal and for the concrete execution models are 
denoted by and . 

If Identifiers is the set of identifiers used in the abstract description of a protocol, 
and Sid is the set of all possible sessions, then the global states maintained by and 
are given by pairs {F, k) respectively (/, 1), where 

F : Sid X {/, R} (Identifiers ^ A: : Sid x {/, i?} (N U {V}) 

and 

/ : Sid X {/, R} (Identifiers ^ i : Sid x {/, F} ^ (N U {V}) 

Here F{s, I) gives the local state of the initiator of session s, in the formal execution, 
f{s,I) the local state of the initiator of session s in the formal execution and so on. 
Functions k and I return the index of the next message expected by a party, or ^ if the 
party finished the execution of the protocol. 

In the formal world an adversary -4/ is simply a list of queries of the type send{s : 
X, M) (for simplicity we assume that all possible sessions have been already initiated). 
We emphasize that this is without loss of generality since security properties in this 
setting consider all valid adversaries. 

We call one such adversary a valid Dolev-Yao adversary, or simply valid, if each of 
the queries that it sends is in the closure of the set formed by some fixed set of adversarial 
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nonces (disjoint from the nonces used by the honest parties), identities of parties, public 
keys of parties and the responses that it receives from . The result of the interaction 
between the adversary and the oracle is the sequence of states through which the oracle 
passes. So if (Fq, ^o) is the initial state of , for each i > 1, state (T), ki) is 
obtained from state (Ti_i, ki-i) as result of the zth query of the adversary. We denote 
the sequence ((Fq, kg), {Fi, ki ), ...) by STr(^/, O^) and call it the formal state trace 
of the execution of Af. The set of all formal traces is denoted by TStrace. 

In the concrete model the execution is randomized, since generating keys, random 
nonces and encryptions involves the use of random coins. Nevertheless, for each concrete 
adversary Ac we can define a similar state trace once the randomness of the oracle and 
that of the adversaries are fixed. We will denote by STr(^c(F^), 0^(i?ci)) concrete 
state trace {{fo,lo), •••) triggered by the queries of the adversary to the oracle 

environment, when the random coins of the adversary and those of the environment are 
RjX and respectively. The set of all possible concrete traces is denoted CFfrace. We 
will give the fully formal definition in the full version of this paper. 

4 Faithfulness of the Formal Execution Model 

In this section we show that when the encryption scheme used in the concrete implemen- 
tation is secure, then concrete state traces are tightly related to state traces of valid formal 
adversaries. More precisely, we show that almost always a concrete state trace can be 
obtained by composing the state trace of a valid formal adversary with a representation 
function that maps symbols to bit-strings. So, in some sense, the concrete adversary does 
not have more power than the abstract Dolev-Yao adversaries. We will formally show 
how this connection allows to translate security results from the abstract to the concrete 
world in Section 5 

Definition 1. We call a function TZ : a representation function if it is 

injective, andTl{F^) C C^, 7^(F”) C C” andTl{r) C C;. 

Definition 2. Let cstr = ((/o, (o)> (/ij ^i)> ■■•;(/«) ^n)) be a concrete state trace, 
fstr = ((Fq, / co), (Fi, fci), ..., (F„, fc„)) be a formal state trace and F : F — >■ C 
be a representation function. We say that cstr is an implementation of fstr via rep- 
resentation function TZ, notation fstr ^ 7 ^ cstr if for each I < i < n it holds that 
Fp, TZ = fi and also ki = h. We say that cstr is an implementation of fstr, notation 
fstr F cstr if for some representation function TZ it holds that fstr cstr. 

The above definition says that a concrete trace is a representation of an abstract trace if 
it is possible to rename consistently all symbols in the abstract trace with bit-strings, as 
to obtain the concrete trace. Another possible interpretation is that the abstract trace is 
an abstract representation of the concrete trace (via the inverse of function TZ). 
Informally, the core of our paper says that a concrete state trace obtained by fixing 
the randomness of the adversary and that of the oracle environment, is a representa- 
tion of the state trace of an abstract attack which satisfies the Dolev-Yao restrictions, 
with overwhelming probability over the coins of the adversary and those of the oracle 
environment. 
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Theorem 2. Let II be a protocol. If AS used in the implementation is IND-CCA secure, 
then for any concrete adversary Ac 

Pr [3^/ valid : STr(Af,0^) ^ 5Tr(Ac(HA),0^(Eo))] > 1 - i^(v) 
Ra.,Ro 

for some negligible function of). 

Proof. Since IND-CCA security implies IND-CCA security in a multi-user setting (The- 
orem 1 ) it is sufficient to prove the theorem under the assumption encryption scheme is 
IND-CCA secure in the multi-user setting. 

We split the proof of the theorem in two parts. First we show that for any trace 
STr(.Ac(i?_4), 0 ^{Ro)), obtained by fixing the randomness of the oracle environment 
and that of the adversary, it is always possible to find an abstract adversary A / (and a 
representation function IZ) such that STr{Af, 0 ^) <tz Sl'r{Ac{RA)T^^{Ro))- For 
this we provide a construction of which essentially extracts a formal attack from 
the concrete attack. In the second part of the proof we show that the constructed formal 
attacker Af satisfy the Dolev-Yao restrictions with overwhelming probability (over the 
choice of the coins of the adversary and those of the oracle environment), or otherwise 
the encryption scheme AS used in the concrete implementation is not Np-IND-CCA 
secure, where by Np we denote the number of parties in the system. 

Step I. The intuition behind the construction is the following. Since all coins deter- 
mining the execution are fixed, all bit-strings represent identities, keys and nonces that 
appear in the computation are also fixed, and thus can be recovered. Then by canonically 
labeling all these concrete constants with abstract symbols, one can translate each mes- 
sage send{s : X, q) of the concrete adversary into an abstract message send{s : X, Q) 
such that <7 is a representation of Q. The sequence of abstract queries send{s : X, Q) 
determine the abstract adversary. This is done as follows. The keys and nonces used by 
honest parties can be directly determined once their coin tosses are fixed. The trickier 
part is to obtain the strings that the adversary uses as nonces, (since these can not be 
obtained directly from the randomness of the adversary). Nevertheless, we can do this 
by tracking and parsing the queries of the adversary. Whenever we encounter some bit- 
string X of type nonce which is not the nonce generated by an honest party, then that 
string is certainly a nonce produced by the adversary. So, we introduce a new (symbol) 
adversarial nonce X^ and assign it to denote x. We will denote the formal adversary 
constructed this way by . 

Step II. The second step of the proof is to show that the adversary Af obtained as above 
computes its messages following the Dolev-Yao restrictions. We prove this by construct- 
ing an adversary B against the encryption scheme. Adversary B runs Ac as a subroutine 
and we prove that B wins in the IND-CCA game precisely when the abstract adver- 
sary associated to the run of Ac is not Dolev-Yao. If this happens with non-negligible 
probability then B is an adversary that contradicts the security of AS. 

The key observation is the following. Consider the queries qi,q2, ... made by Ac 
while run as a subroutine, and let - 4 / be the abstract adversary associated to Ac. Then 
Af makes queries Qi, Q2, which are abstract representations of the queries qi,q2, .... 
Assume that one of the queries of Af, say Qi, is not Dolev-Yao. In this case it is easy 
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to see that Qi must contain an occurrence of some nonce X (generated by the honest 
parties) which does not appear in clear in none of the answers that A / obtained, and 
moreover Af can not recover this nonce by standard Dolev-Yao operations. Otherwise, 
Q can be created by the adversary. 

We distinguish two cases. The simpler case is when Qi contains X unencrypted. In 
this case, message qi also contains x unencrypted, i.e. the adversary managed to recover 
nonce x from ciphertexts he should not have been able to decrypt, i.e. it managed to the 
break the encryption function. 

The second case is when X appears in Qi encrypted, so Qi has a subterm of the form 
T = form some term t\X] containing X and some key symbol K. In this case, 

neither T nor t[X] appeared in clear (since otherwise Qi could have been built by the 
adversary.) So in the concrete world, Ac makes query qi which contains an encryption 
of X which he had not previously seen, so in this case Ac also contradicts the security 
of the encryption scheme. 

In this extended abstract we only provide an overview of the construction of an the 
adversary B. A detailed description will be provided in the full version of this paper. 

Since B is an adversary against Np-IND-CCA encryption, it has access to Np left- 
right encryption oracles, and also to the corresponding decryption oracles. B will use his 
access to these oracles to mimic the behavior environment in which the public keys 
of the parties are the public keys of the encryption oracles. Just simulating the behavior 
would be easy for B : it can simply select all random nonces of the honest parties, and then 
when the adversary makes a query to 0 ‘" , B can parse the query (by using the decryption 
oracles) compute an appropriate answer by following the program of the honest party, 
return it to the adversary and so on. 

The adversary B that we construct does something more clever than that. For sim- 
plicity of the exposition assume for now that B “knows” the nonce X and the term Q 
such that Q is not a valid Dolev-Yao query, and X is the nonce that we described above. 
For his simulation, B selects all concrete nonces of the honest parties (except the one 
corresponding to X.) For this nonce, B selects two possible concrete representations xg 
and xi- Then B starts running the attacker Ac carrying the simulation along the lines 
we have described above: it parses queries of the adversary by using the decryption 
oracles to which it has access, and answers the queries by following the programs of the 
honest parties. There are two important points in which the simulation differs from the 
trivial simulation that we described above. First, when B needs to pass to Ac responses 
for which the abstract representation contains X, B computes a concrete representation 
in which X is replaced by Xb, where b is the selection bit of the left-right encryption 
oracles. This is possible since X appears only encrypted, so we can create concrete 
representations using the encryption oracles. Let us explain. 

Let xq and xi be the two possible concrete nonce values that B associates to X, 
and say that during his simulation of the environment oracle, B needs to pass to Ac the 
representation of terms {X}fCi and {XX}k^ ■ To accomplish this, B prepares messages 
(a;o, x\) and (0:0X0, xiX\) and submits them to encryption oracles Sp\c. (LR(-, •, h)) and 
£ipk^.(LR(-, •, b)) respectively. (Herepkj andpk^ are concrete representations of the keys 
Ki and Kj). The resulting ciphertexts are then passed to Ac- Notice that it is crucial that 
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X never needs to be sent in clear, since in this case B would not know which of the two 
possible concrete representations to send. 

The second important point related to the simulation of , is that when it parses the 
messages sent by Ac, it must avoid sending to a decryption oracle a ciphertext previously 
obtained from the corresponding encryption oracle. This would render B invalid. This 
however can be easily avoided, since B knows the underlying plaintext of all ciphertexts 
obtained from the encryption oracles, modulo which of the concrete nonces xq,xi is 
used (notice that all ciphertexts obtained from the encryption oracles contain one of the 
two nonces, and always the same). So, B can compute an appropriate answer (possibly 
involving the encryption oracles in the case that the answer involves the representation 
ofX). 

From the point of view of Ac, the simulation of the environment oracle is perfect. 

By now it is probably clear how B determines the bit b that parameterizes the encryption 
oracles. When Ac makes its query q (corresponding to a non Dolev-Yao message), B 
intercepts the message, and recovers which of the two values xg, xi was actually used in 
the simulation. If the concrete nonce appears in clear, then this step is trivial. Otherwise, 
i.e. the nonce appears encrypted, B simply “peels off” the encryptions surrounding Xb 
by using the decryption oracles. This is possible, because none of these encryptions was 
obtained from an encryption oracle. 

The final observation that goes in our construction is that B does not know a priori 
which nonce X is the “faulty” nonce, nor does it know which of the messages sent by 
the adversary corresponds to the invalid Dolev-Yao abstract message. But since the total 
number of nonces and messages appearing in an execution is polynomial in the security 
parameter, B can guess both of them with significant probability. If the adversary guesses 
wrongly, so he either can not recover a nonce from the position that he guessed, or the 
nonce he recovers is different from Xq,xi, then B simply outputs a random guess. 

Let us provide an informal analysis of the advantage of B (formal details will be 
given in the full version of the paper). There are two possible events that lead B to 
successfully guessing the bit b. First of all, if guessing X or Q fail, then he outputs b 
with probability half. Otherwise, i.e. the abstract adversary -4/ is not Dolev-Yao, and B 
guesses both the nonce X, the message Q which is not Dolev-Yao and the position P in 
this message on which X occurs then B correctly guesses b. Each of these probabilities 
can be bounded as follows. For concreteness assume the following: the total number of 
parties is Np, the total number of messages exchanged during a session is N,., each party 
uses at most N„ nonces, and each message has at most Nq nonce occurrences. Then, if 
Ns is the total number of possible sessions, i.e. |Sld |, then B guesses the “right” nonce X 
with probability at least guesses the “right” message Q with probability at least 

and the “right” occurrence of X with probability at least ^ . Putting this together 
we obtain that 

Nr • Nn • No • Ns • Adv^'"^ ^ Pr [-4/ invalid] 

Since we assumed that AS is IND-CCA secure, hence N p-IND-CCA secure, the left side 
of the inequality is a negligible function, hence so is the right side. In other words, the 
adversary A / that we construct is not a valid Dolev-Yao adversary only with negligible 
probability. □ 
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5 Soundness of Formal Proofs 

We now use the result of the previous section to prove our main result. In this section we 
provide a uniform way to specify general security properties, both in the formal and the 
concrete setting. Then, we exhibit a condition on formal and concrete security notions Pf 
and Pc such that proving security of some protocol II with respect to Pf (in the formal 
world) entails that the protocol is secure with respect to Pc in the concrete world. Finally 
we provide concrete examples for the case of mutual authentication protocols. 

Definition 3. Fix a protocol II. 

1. A formal security notion is any predicate Pf on formal state traces (or equivalently 
any subset Pf of T Strace). For each security notion Pf C TStrace, we say that 
protocol n satisfies Pf, notation 7T |=j Pf (/for all valid formal adversaries Af, it 
holds that STr(^/, O^) G Pf. 

2. A concrete security notion is any predicate Pc on concrete state traces. For each 
security notion Pc C CStrace, we say that protocol II satisfies Pc, notation II \=c 
Pc, if for all probabilistic polynomial time adversaries Ac it holds that 

Pr [SMAc{Ra),0^{Ro)) G Pc] > 1 - 

Ra,Ro 

where Ra and Rq are random strings of appropriate length (i.e. polynomially long 
in the security parameter rj) and u{-) is some negligible function. 

The definitions of satisfiability provided above are rather standard in the settings 
that we consider. The one for the formal execution model states that no Dolev-Yao 
adversary can induce a “faulty” formal execution trace. The definition of satisfiability 
for the concrete execution model states that no probabilistic polynomial time algorithm 
can induce a faulty concrete execution trace, except with negligible probability. 

We now exhibit a relation between formal security notions Pf and concrete security 
notions Pc such that proving (formally) security with respect to Pf implies security with 
respect to Pc (in the concrete execution model). The relation is captured in the following 
theorem. 

Theorem 3. Let Pf and Pc be respectively formal and a concrete security notion such 
that 

(f/fstr G TStrace,'icstr G CStrace){{f str G Pf A ftr < cstr) => cstr G Pc). 

If AS is IND-CCA secure. 



n \=f Pf A- n \=c Pc 



holds. 

Proof. The intuition behind the proof is the following. Let cstr be the state trace caused 
by an arbitrary adversary Ac. From Theorem 2, with overwhelming probability there ex- 
ists a valid formal adversary such that its trace fstr satisfies fstr cstr, and moreover 
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fstr G Pf (since 7T |=/ P/). Then, by the assumption on Pf and Pc, with overwhelming 
probability cstr G Pc, i.e. 77 \=^ Pc- Formally we have the following: 

Pr [SMA{Ra),0^{Ro))gP,] 

> Pr \3f str gPu fstr <SJr{A{RA),0‘^{Ro))\ 

> Pr [3^/ valid : STr(^/,C>-^) ^ STr(^(i?_4),C>'^(77o))] 

Rji,,Ro 

> 1 — v{rj) 

i.e. 77 \=c Pc. □ 

Mutual authentication. We now show how to apply the above machinery to the 
case of mutual authentication protocol. Informally, at the end of a secure execution 
of a mutual authentication protocol, the initiator and the responder are convinced of 
each other’s identity. Various ways of formalizing this property already appeared in the 
literature [7,8,6, 1 1]. Our formulation is closest to the one in the latest reference, to which 
we refer the reader for clarifications and motivations about the definition. 

There are two properties that a secure mutual authentication protocol should satisfy. 
The first property, called “initiator’s guarantee”, states that if in some session between 
two parties, the initiator sent his last message, and thus finished its execution, then there 
exists some session between the same parties in which the responder also finished its 
execution. The second property, called the responder’s guarantee, says that if in some 
session the responder sent his last message (and hence finished its execution), then there 
exists some session with the same initiator and responder in which the initiator has either 
finished his execution, or is expecting to receive the last message of the protocol. Finally, 
a protocol is a secure mutual authentication protocol if it satisfies both initiator’s and 
responder’s guarantees. 

We can formalize the above informal descriptions by using the language of state 
traces as follows. 

Definition 4. Let t = ((/o, fco), (/i, ^i), •••■) be an (abstract or concrete) state trace of 
a protocol with N r rounds. 

(1) We say that t satisfies the initiator’s guarantee, if for any position p in the trace, the 
following condition is satisfied. If for some s = (i, j, f) G Sid it holds that kp(s,I) = \/ 
then for some s' = (i,j, t') G Sid it holds that kp(s' , R) = yj. 

(2) We say that t satisfies the responder’s guarantee, if for any position p, the following 
condition is satisfied. If for some s = (i,j, f) G Sid it holds that kp(s, R) = y/ then for 
some s' = (i,j, t') G Sid it holds that kp(s' , I) = N,. or kp(s' , 7) = y/. 

(3) We say that t satisfies the mutual authentication property if it satisfies both initiator’s 
guarantee and responder’s guarantee. 

Let us denote by MA (respectively by MA ) the mutual authentication property 
in the formal (respectively in the concrete) execution model. It is a simple exercise to 
show that MA and MA satisfy the conditions of Theorem 3. As a consequence, for 
any protocol 77 

n \=f MA'^ implies II \=c MA^ 
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6 Extensions and Work in Progress 

For simplicity of exposition, the framework that we presented in Sections 4 and 5 con- 
centrates on a setting where parties execute multiple instances of a a single two-party 
protocol. The formal and computational models that we presented can be extended in 
a number of ways, allowing analysis of an increasingly larger class of protocols. In 
this section we present and discuss some extensions which we have considered. These 
extensions include: 

- considering multi-party protocols (as opposed to only two-party protocols); 

- considering execution models in which parties execute instances not of a single but 
of a set of protocols; 

- extending the protocol specification language with other cryptographic primitives, 
e.g. symmetric encryption, digital signatures, message authentication codes; 

- considering more flexible rules for writing protocol, allowing for instance transmis- 
sion of encrypted keys, forwarding of ciphertexts (without decrypting); 

- developing a more general execution model involving reactive parties; 

- generalize our abstract dehnition of security notions to capture secrecy properties. 

Our basic setting easily extends to a more general execution model in which parties 
execute several multi-party protocols, Ui , II 2 , • ■ • , Up , simultaneously. In the sequel we 
sketch some details of this extension. A multi-party protocol can be naturally specihed 
by a sequence of actions of the form A ^ B : M, where A and B are the sender and 
the receiver respectively, and M is a representation of the message that A sends to B, 
constructed from variables in Identifiers, using the grammar for Term. 

Given a protocol specified as a list of actions of the form A ^ B : M, the program 
run by some party P is determined by selecting from the list of actions only those 
actions which involve party P as either sender or receiver. The individual execution of 
these programs in both the formal and the computational models remains essentially 
unchanged. Furthermore, our formalization of the global execution of the protocols (for 
both the formal and the concrete world) can be easily adapted. The following discussion 
pertaining to the formal model, applies to the concrete model too, with some obvious 
modifications. 

In the formal execution model, the behavior of the honest parties is modeled by 
oracle maintaining the global state of the execution. The adversary interacts with 
the oracle by initializing new instances of the protocols, and passing messages between 
parties as in the two party-case (the syntax of the queries needs to be adapted to the 
setting we are discussing.) If we denote by Sid be the set of session ids and by max the 
maximum number of parties involved in running each particular protocol, in the multi- 
user, multi-protocol setting, we model the global state by a pair of functions (F,k), 
where 

F : Sid X [max] -A (Identifiers — >■ : Sldx[maa;] — >■ NU{-y}. 

The intuition behind this formalization is the identical to the two-party case: F{s, 1) 
gives the local view of participant number I in the protocol executed in session s, and 
k{s,l) gives the index of the next instruction of the protocol which the same participant 
will execute. 
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The result of the execution is again the sequence of states determined by the for- 
mal adversary. In this case, by modeling security properties as sets of “secure” traces 
one can capture properties of the whole system (as opposed to properties of a single 
protocol). So, formal and computational satisfaction of security requirements pertains 
to the entire system. We write ili, 772, • • • , Up Pf to denote the fact that protocols 
TTi, 772, ■ • • , lip satisfy property P/ in the formal execution model. Similarly, we write 
77i, 772, ■ • • , Up He Pc to mean that the same protocols satisfy security requirement P^ 
in the concrete execution model. The formal definition of relations \= f and |=c is the 
obvious generalization of Definition 3. In the full version of the paper we will include a 
proof of the following generalization of Theorem 2: 

Theorem 4. Let 77i , 772 , ■ • ■ j lip be multi-party protocols and let Pf and Pc be a formal, 
respectively a concrete security notion such that 

(f/fstr G lFStrace,Vcstr G CStrace){{f str G Pf A ftr < cstr) cstr G Pc) 
Then, if AS is IND-CCA secure then 

77i, 772, ■ • ■ , -ffp h/ Pf II 11 II 2 , ■ • ■ , -ffp he Pc 

Another interesting extension is to enrich the protocol specification language with 
other cryptographic primitives, e.g. symmetric encryption, digital signatures and mes- 
sage authentication codes. It seems that our simple models and results can be immediately 
extended, if we only consider protocols in which parties never send encryption of secret 
keys. We remark that the problem of encrypted secret keys has also been encountered in 
the complex framework of [4], where it is pointed out that including such encryptions in 
their treatment is quite problematic. In contrast, we discovered that by imposing certain 
restrictions, our results can be extended to protocols in which parties exchange encryp- 
tion of secret keys. For instance, our results hold in a setting where parties generate and 
send encryptions of symmetric keys under the public keys of other parties, and later use 
the symmetric keys to encrypt other messages. We require however that symmetric keys 
are never used to encrypt other symmetric keys. The restrictions that we consider are 
quite reasonable from a practical point of view, and currently we are seeking the weakest 
limitations under which our result still holds. 

Yet another extension is to consider protocols with input and output, or even more 
generally, reactive protocols in which parties accept inputs and produce outputs during 
the execution. While coming up with models for this kind of protocols does not seem to 
pose any difficulties, finding appropriate, general definitions for security notions is a more 
subtle problem. In particular, such general definitions should encompass some formal 
and computational secrecy notions to which our result can be extended. We note that this 
would enable analysis of a large class of protocols for which secrecy requirements are 
crucial, e.g. key exchange protocols, which makes this direction particularly interesting 
to follow in our future research. 
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Abstract. Recently Canetti, Krawczyk and Nielsen defined the notion 
of replayable adaptive chosen ciphertext attack (RCCA) secure encryp- 
tion. Essentially a cryptosystem that is RCCA secure has full CCA2 
security except for the little detail that it may be possible to modify a 
ciphertext into another ciphertext containing the same plaintext. 

We investigate the possibility of perfectly replayable RCCA secure en- 
cryption. By this, we mean that anybody can convert a ciphertext y 
with plaintext m into a different ciphertext y' that is distributed iden- 
tically to a fresh encryption of m. We propose such a rerandomizable 
cryptosystem, which is secure against semi-generic adversaries. 

We also define a weak form of RCCA (WRCC A) security. For this notion 
we provide a construction (inspired by Cramer and Shoup’s CCA2 se- 
cure cryptosystems) that is both rerandomizable and provably WRCCA 
secure. We use it as a building block in our conjectured RCCA secure 
cryptosystem. 



1 Introduction 

Security against adaptive chosen ciphertext attacks (CCA2) has become the 
golden security standard for public-key cryptosystems. Dolev, Dwork and Naor 
gave the first construction based on standard primitives in [1] and subsequent 
work [2, 3, 4, 5] includes practical constructions based on a variety of assumptions. 
However, an unfortunate side effect of the strong security definition is the exclu- 
sion of certain cryptosystems that intuitively are secure. Consider for instance a 
cryptosystem that expands a CCA2 secure cryptosystem with a single bit, which 
is ignored in decryption. By flipping this bit it is easy to create a new encryption 
of the same plaintext and therefore the new cryptosystem is not CCA2 secure 
even though the message is protected by the same encryption. A few proposals 
for redefining CCA2 security to cover such cryptosystems were presented in [6,7], 
but other natural examples that intuitively are “CCA2” secure but do not sat- 
isfy these definitions exist. We believe that Canetti, Krawczyk and Nielsen have 
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solved this problem satisfactorily in [8] by defining replayable adaptive chosen 
ciphertext attack (RCCA) security.^ 

RCCA security essentially is the same as CCA2 security, except no guarantees 
are given against adversaries that just try to modify a ciphertext into a new 
ciphertext with the same plaintext. CCA2 security implies RCCA security, but 
not the other way around. We could hope that a weaker definition might give 
rise to more efficient constructions but this has so far not been the case. On 
the other hand, it is a proven fact that given RCCA secure encryption we can 
construct CCA2 secure cryptosystems. We refer the reader to [8] for several other 
arguments for being interested in RCCA secure encryption. 

The question we seek to answer in this paper is to what extend it may be 
possible to maul an RCCA secure cryptosystem. We have the ambitious goal of 
finding a cryptosystem, which is RCCA secure and has perfect rerandomization, 
i.e., an efficient algorithm for converting an encryption y of plaintext m into a 
ciphertext y' that is perfectly indistinguishable from a fresh encryption of m. 

Besides the theoretical perspective, we believe such cryptosystems may have 
practical applications. Consider for instance an anonymization protocol where 
in the end some party receives the encrypted messages and acts upon them, for 
instance a voting protocol based on mix-nets.^ Here, we may want the ability 
to rerandomize ciphertexts in order to anonymize them. On the other hand, 
we may imagine an adversary that can inject ciphertexts into the anonymiza- 
tion protocol and therefore gets access to an adaptive chosen ciphertext attack. 
Rerandomizable RCCA secure encryption may be just the tool that gives us the 
better of two worlds. 

Constructing a rerandomizable RCCA secure cryptosystem is a hard prob- 
lem, and is posed as an interesting open problem in [8] . The construction has to 
be almost CCA2 secure and at the same time have enough mathematical struc- 
ture to be rerandomizable. In particular, it seems like popular tools for building 
CCA2 secure encryption such as random oracles and one-time signatures cannot 
be used. 

In this paper, we start out by defining a weaker notion of replayable security 
called WRCCA security. This notion is stronger than IND-CCAl but weaker 
than RCCA security. It turns out that rerandomizable WRCCA secure cryp- 
tosystem can be constructed under well-known intractability assumptions. 

By choosing an appropriate group to work in, we get a rerandomizable WR- 
CCA secure cryptosystem that may be extended in a way that gives rise to a 
new rerandomizable cryptosystem. We believe this new cryptosystem is RCCA 
secure. Since it is an extension of a WRCCA secure cryptosystem, it is provably 
WRCCA secure. In itself, WRCCA security does not guarantee RCCA security 
though. We give an additional security argument by proving that a semi-generic 
adversary cannot break the scheme, where semi-generic means that it can only 
perform standard group operations on parts of the ciphertext. 

^ Independently we came up with exactly the same definition of RCCA security. 

^ Duplication of votes must be avoided, for instance by inserting a nonce in the plain- 
text and discarding extra pairs of the same vote and nonce. 
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2 Notions of Replayable Security 

Notation. All algorithms and adversaries are modeled as probabilistic polyno- 
mial time (possibly interactive) Turing machines. Our proofs hold for both uni- 
form and non-uniform adversaries. 

We assume that all algorithms and adversaries get a security parameter as 
input. We write pi « p2 if Pi and p2 are functions of the security parameter such 
that \pi — P2I is a negligible function in the security parameter. A function that 
is not negligible is said to be noticeable. 

Definitions. We define a public-key cryptosystem in the usual way. The decryp- 
tion function outputs invalid when a ciphertext does not decrypt properly to 
a plaintext. 

Definition 1 (RCCA security). A cryptosystem (K,E,D) is RCCA secure 
if for any adversary A it is the case that 

P[{pk,sk) ^ K{)] (mo, mi) <- A°^(pk)-,y ^ Epk(mo) ■ A‘^^(y) = 1] 

« P[(pk,sk) ^ K(); (mo, mi) ^ A^^(pk);y ^ Epk(mi) : A^^(y) = 1], 



where 

— Oi works like Dsk- 

— O 2 works like Dgk except when the plaintext is mo or mi . On mo or mi the 
oracle outputs test. 



Definition 2 (WRCCA security). A cryptosystem (K,E,D) is WRCCA se- 
cure if for any adversary A it is the case that 

P[(pk,sk) ^ K(); (mo, mi) ^ A^^(pk);y ^ Epk(mo) ■ A^^(y) = 1] 

« P[(pk,sk) K(); (mo, mi) ^ A^^(pk);y ^ Epk(mi) : A^^(y) = 1], 

where 

— Oi works like Dsk- 

— O 2 works like Dgk except when the plaintext is mo or mi . On mo or mi the 
oracle outputs invalid. 

Let us illustrate the two types of security with the following example. We 
assume that we are operating a Swiss bank, and account holders can send anony- 
mous messages to us containing a password, the banking operation they want 
to perform and perhaps a counter to prevent replay attacks. We do not reply 
to these messages, but if the password is valid and the counter has not been 
used before, we perform the banking operation. Suppose a client of ours sends 
a ciphertext containing some banking operation he wants to perform and he is 
being wiretapped by somebody who wants to know which operation he carried 
out. Now the eavesdroppers may open an account with us, send ciphertexts to 
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us, and see what happens with the money in their account. This means that they 
do have access to a chosen ciphertext attack. However, since they do not know 
our client’s password they cannot probe the system with banking operations 
on his account. WRCCA security is therefore sufficient to guarantee that the 
eavesdroppers do not learn anything about the banking operation he performed. 

Suppose we change the protocol to be user- friendlier: we send back one type 
of error message if a banking operation has already been executed and another 
type of error message if a ciphertext is invalid. Now the eavesdroppers have 
access to a stronger attack and we need the cryptosystem to be RCCA secure. 

In general WRCCA secure cryptosystems are only appropriate in protocols 
where the adversary does not learn whether an injected ciphertext is valid or 
invalid. Often this is not the case, consider for instance Bleichenbacher’s attack 
on the PKCS #1 protocol [9]. 

Other types of security. Bellare and Sahai prove in [10] that non-malleability 
is equivalent to indistinguishability under parallel attack. By a parallel attack 
we mean the adversary has access to an oracle O 2 that decrypts any number 
of ciphertexts but may be invoked only once. This definition makes sense both 
without and with access to Oi. They call the security notions IND-PAO and 
IND-PAl. By modifying O 2 such that it can decrypt one vector of ciphertexts 
and will respond with respectively test and invalid on rriQ and mi we get four 
other security notions IND-RPAO, IND-RPAl, IND-WRPAO and IND-WRPAl.^ 

Relationship between security notions. Figure 1 in Appendix A describes com- 
pletely the relationship between all the security notions. For our purposes the 
interesting thing to note is that CCA2 security implies RCCA security, which 
implies WRCCA security, which in turn implies IND-CCAl security. On the 
other hand all these notions are separate; IND-CCAl does not imply WRCCA, 
WRCCA does not imply RCCA, and RCCA does not imply CCA2 security. 

3 Rerandomizable Weak RCCA Secure Encryption 

In this section, we describe a rerandomizable WRCCA secure cryptosystem. The 
idea bears some resemblance to Cramer-Shoup’s DDH based CCA2 secure cryp- 
tosystem [3]. In their scheme a ciphertext looks like this {ul = 9 l,ur = = 

h''m,a = If we have h = = g^'^, then a is a designated 

verifier zero-knowledge proof that both decryption with x l and xr will give the 
same plaintext. In the security proof, they use a hybrid argument where at one 
point we actually have that xr and xr would give different decryptions of the 
challenge ciphertext. At this point we simulate the designated verifier proof a. 
Raising d to hash(Mi, U 2 , v) ensures that the simulation only works when we are 

® These forms of non-malleability should not be confused with the NM-RCCA notion 

in [8]. 

h — left, R = right. 
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using the actual challenge ciphertext, i.e., the designated verifier proof is simu- 
lation sound. Therefore, the adversary cannot fake proofs in the oracle queries, 
except if it copies the challenge ciphertext directly. 

In our case we wish to allow rerandomization, provided the same plaintext 
is used. Therefore, we wish to ensure that the adversary in the security proof 
cannot fake the designated verifier proof unless the same plaintext as in the 
challenge is used. For this reason we make a designated verifier proof that has 
the form The cryptosystem and the proof do become more involved 

than standard Cramer-Shoup encryption. One of the reasons for this is that we 
have to take specifically into account in the hybrid argument how to shift from 
using hash(mo) and hash(wi), where in the Cramer-Shoup scheme this is always 
computed as hash(rti, m^., u). 

Another problem with using the Cramer-Shoup cryptosystem is that even 
with this new type of proof we cannot rerandomize it. To solve this problem we 
instead encrypt the message one bit at a time as Ql where Wi = ±1. 

Now we can rerandomize by choosing a random exponent and then raise all parts 
of the ciphertext to this exponent. 



Key Generation: Choose a collision-free hash-function h : {—1, 1}^ — >■ {0, 1}*. 
Choose a cyclic group G of order n where the DDH problem is hard.® The 



order n may be a prime or a composite. We demand that the smallest prime 
factor of n is larger than 2‘. 

Select at random elements hi, . . . ,hk € G. 



Choose . . . ,XL,k, XR^k at random from Z„ 

^-1 ^-1 ^-1 

Set gL,i = hi^'\gR^i = . . - ,gL,k = hy.’^'’’ ,gR^k = 

kR,i, ■ . ■ , G and Il,iJr,i, ■ 



-1 

‘^L,l 



-1 

R,k 



Select at random 

Z„. 



, lb,k, lR,k 



Set 



n kL,i kRi 

9lJ 9r,I 



and 






pk = hi,.. .,gL,k,gR,k, hk, c,d,h). 

sk = {pk, xl,i, . . . , XR^k, kL,i, ■ . ■ , kR^k, Ila, ■ ■ ■ , iR.k)- 

Encryption: Given input m = mi . . . mk G {—1, 1}^.® 

Epk{m; r) = , 9l,k^9kk^ 

Decryption: Given ciphertext y = {ul,i,ur^i,vi, . .. , UL,k, UR^k,Vk,a). 
Check that all elements belong to G. 



Compute for all i the G {—1,1} that satisfies Vi = u 
Set m = mi . . . mk- 
Check that 



LA 



= U 



R,i 



a = 



n 

i=l 



kR^i-\-h{m)lR 



L.i 



R4 



If everything works out return m, otherwise return invalid. 



® Membership of G should be easy to check and it should be easy to pick a generator 
for the group. 

® Using ( — 1, 1} instead of (0, 1} makes notation a little less cnmbersome. 
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Rerandomization: Given ciphertext u_r,i, wi, . • . , ffc, ct). 

Select at random r' G Z* . Return ■ ■ ■ , , ct’’ )• 

It is easy to see that this is a public key cryptosystem with perfect reran- 
domization. For security, we have the following theorem. 

Theorem 1. The cryptosystem is WRCCA secure provided the DDH assump- 
tion holds for G and the hash-function is collision- free. 



Proof. Consider the experiments in the definition of WRCCA security. The 
only difference is in the challenge given to the adversary. We define several 
probabilities po, . . . ,Pq of A outputting 1 given different challenges. I.e., we set 
Pi = Pr[(pfc,sfc) ^ AT(); ( too , mi) ^ A^^{pk)]y ^ Chab : A^'^{y) = 1], where 
Chali for the various probabilities returns the following. 



Po 






■ ■ • ’9L,k^ 


9R,k,hr^ 


Pi 


(... 


■> yL,if yR,i 




■■,Uhn 


P2 


(... 


’ yLA^^RA 


r,l^rnoiV,_ 


■■,Uhn 


Po 


(... 


’ yLA^yRA 


r,J^rnoiT,^ 


■■,Uhn 


Pi 


(... 


moimur r 

’ yL,i ’ yR 


urniiV 
!•> 5 • 


■■,Uhu 


Pb 


(... 


^mumur r 

’ yL,i ’ yR 




■■,nliu 


Po 






■ ■ ■ y9l,k^ 


9R,k^K^^ 



fei,i+iL,ih(mo) fcR,i+iK,ih(mo) 
L,i '^R,i 



fcR,i+C,ih(rrii) 

L,i '^R,i 



fcR,i+C,ih(mi) fcR,i+iR,»h(?Tii) 



U 



RA 



)• 

)• 

)• 

)• 

)• 



Po and po are the probabilities for the definition of WRCCA security. We must 
therefore prove that po ~ Pe- To accomplish this we prove that po « pi, . . . ,ps « 
P6- 

The proof goes as follows. It is easy to see that po = Pi. In pi we simulate 
the proof a, however, the simulation is perfect. pi « p 2 follows from Claim 11. 
P 2 ~ P 3 follows from Claim 13. ps « p 4 follows from Claim 14. p 4 « ps follows 
by a completely similar proof as for Claim 11. ps = pg is seen by inspection since 
again the only difference between them is a perfectly simulated proof a. 



Claim 11. Pi «p 2 . 

Proof. Assume for contradiction WLOG that pi is noticeably larger than p 2 . We 
transform A into an adversary B that can break the following hard problem. 



Hard problem. We select at random hi,. 
sees these and is allowed to choose mo, mi 
at random r G Z*. We give either 



.,hk and gR^i, . . . , ga^k from G. B 
G { — 1, 1}^. Subsequently we choose 

or 



(^moimoi'’ fj^oi 



mofemofcr 

’ RR,k 






. . . , to B. B must now output a bit. We con- 

sider B successful if it can distinguish the two tuples. 

The hardness of the problem relies on the DDH assumption. Sup- 
pose B can distinguish the two types of challenge. By a hybrid ar- 
gument there is an index i and a bit b such that B can distin- 
guish hT°^\ ..., • ■ • > and 
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mokmikr tmofer\ 

>i/fl,fc J 'tfc 1) 



where y is chosen at 



random. 

Consider now a randomly chosen DDH challenge (g, h, z, h'') where we 
must determine whether z = g’’ or z is chosen at random from G. We 
set hi = h and gn^i = g. For all j ^ i we select at random Xj^XRj 



and compute hj = and g^j = h^^'\ We give gR,i,hi, . . . , gn^k,hk 
to B and get the messages mo and mi. Then we give B the challenge 

We have now con- 
verted B into a DDH distinguisher. 



The algorithm B. We describe B. In its first invocation it gets the input 
9R,i,---i9R,k,hi,...,hk- It selects at random xr,i, ■ ■ ■ ,XR,k G K sets 

gr^i = . . . , gL^k = . After this it selects fcjip, . . . , iR^k and sets 



n fcr.i kjii 
9L,t 9R,i 



and 



d=n 



9L,'i 9R,'i ■ 



B now has something that looks perfectly like a public key for our cryptosystem. 
It does not know the full secret key since it does not know the discrete logarithms 

^R,l 1 • • • 1 

B runs the algorithm for A on the public key given above. Whenever 
A queries the oracle 0\ then B answers the query by extracting a mes- 
sage m using its knowledge of xr^i, . . . ,XR^k- K then checks that a = 

It returns m if everything works out OK. We 
can see this as A getting its oracle queries answered by a left-oracle Of. From 
Claim 12 we see that with overwhelming probability these answers correspond 
to the answers the real oracle Oi would make. A returns two messages mo and 
mi. This is the output of B after its first invocation. 

A challenge {ur^i,vi, . . . ,UR^k,Vk) for the hard problem is now se- 
lected and given to B. B converts this challenge into what looks like a 

• U J- J- U J-J-* ‘‘^01^ L I '^Ok^L k 1 

Ciphertext by setting ul,i = = Vk ^ ~ 

^R,i -In case we have ° = 

h^°^'' , . . . ,UR^k = 9r°r'^°'‘^ ,V k = h'^°’’^ then the ciphertext will be as in the 
challenge in pi. In case we have ur^i = = h^°^^ , . . . ,UR^k = 

9r°r^^'^'' ,V k = h™°'‘^ then we have a ciphertext on the form of the challenge 
in p 2 - 

B now runs A on this ciphertext. It answers queries in the same way as 
before, i.e., using Of that decrypts using xl,i, ■ ■ ■ ,XR,k and then checks the 
proof. Again using Claim 12 we get that the oracle queries are answered as the 
real oracle O 2 with access to the discrete logarithms xr^i, . . . , xr^r would do. In 
the end, A answers with a bit. B uses this bit as its output. 

Depending on the challenge, we have either probability pi for B outputting 
1 or probability p 2 for B outputting 1. If the two probabilities are noticeably 
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different, this means that we have created a distinguisher for the hard problem 
and thereby broken the DDH assumption. 

Claim 12. It is infeasible for A to find a ciphertext y' with proof a' that gets 
answered differently by the real oracles Oi, O 2 and modified oracles Of, Of that 
only left-decrypt, even if A sees a fake ciphertext y as the challenge in p 2 with 
simulated proof a. 

Proof. Consider the difficult case, namely finding a query that O 2 and Of answer 
differently. The information available to A about kr,!, ■ • ■ , lR,k comes from c, d 
and the fake ciphertext y. If we compute the discrete logarithms with respect to 
some base g for these elements, we get the following system of linear equations 
in Z„ to be satisfied, where a' is the “proof” in the newly created ciphertext. 







/log(gL.i)fcL.i \ 






/ 1 1 ••• 0 0 --A 

0 0 ••• 1 1 








f log(c) \ 
log(d) 


r rSi ■ ■ • rh(mo) r5ih(mo) • • • 




log(5L,i)A.i 




log(a) 


\rL,i tr^i ■ ■ ■ rL,ih(m) rR^ih{m) ■■■ J 








\log{a')J 



V J 



where we define Si = moimu. 

Since kr,!, ■ • ■ , lR,k are unknown and randomly chosen the only chance for 
the proof a' to be correct is if the last row is a linear combination of the first 
three rows. Already at this point we can therefore see that we must have some 
tr such that for all i we have tr = tr^i. Reducing the matrix we get 



/I 


1 


••0 0 •••\ 


0 


0 


.. 1 1 


0 S,-l ■ 


••0 ((5i - l)h(mo) ••• 


\0 ■ 


■ • 0 {rR^i - rR)h{m) ■ ■ ■ J 



We see that there must be some g such that the fourth row is y times the 
third row. This means that for all i with (5j = 1 we have rR^i = rr. Consider 
from now on the remaining z’s where Si = —1. We see that for all these z’s we 
have 

rR,i - tr = -2y and {vr^^ - rR)h{m) = -2yh{mo). 

If /i = 0 then rji i = tr for all i and therefore both left-decryption and right- 
decryption give the same result. In that case, the left-oracle answers correctly. 

If /X yf 0 then we have for these i’s that {vR^i — rR){h{m) — h(mo)) = 0 and 
fR,i — Tr 0. This implies that h(m) = h(mo), since the hashes are smaller 
than the smallest prime factor of n. Collision-freeness of the hash-function now 
implies that m = mg. But in that case, both O 2 and O 2 answer invalid. We 
therefore see that the left-oracle answers the same as the real oracle. 
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Claim 13. p 2 « Ps- 

Proof. Let i be an index such that mrnmu = —1. We will argue that even if A 
is computationally unbounded and given kLj,kR,jjL,j,lR,j for all j yf z it still 
cannot distinguish the two challenges. 

From the available information A can use c to compute 

= log{gL,i)kL,i + log(gfl,i)fc_R,i mod n 

and d to compute 

Li = log{gL,i)lL,t + log( 5 _R,i)/fi,i mod n 
as well as a to compute 



Ai = log{gL,i){kL,i + h(m&)/L.i) - log(5fi,i)(fc_R,i + h{mb)lR,i) + h{rrib)A 
= Ki- 21og(5fi,i)fc_R,i +h(TOfc)(Li - 2\og{gR^i)lR^i + A) mod n, 



where A depends on the other k's and Vs, but not kL^i,kR^i,lL,i,lR,i- However, 
since kr.i, lR,i,lL,i, Ir,i are chosen at random this does not reveal whether 6=0 
or 6 = 1. 



A cannot use the decryption queries to learn anything. If A wants to make a 
decryption query that has noticeable chance of being valid it must be on the form 

\9l,i^9r^iAi i---^9L,v9R^iAr ^ ■ ^9h,k^9R^kAk Aij=i9 ’ A- 

This does not reveal any new information on kR^i,kR^i,lL,i,lR,i and therefore 6 
remains hidden. 



Claim 14. 



P3 ~PA- 



Proof. By a hybrid argument if A can distinguish the two challenges then there 
is an index i such that A can be used to distinguish challenges on the form 

(r,r moimiir tmoir 

\9L,n9R,l jRl 



„r moiTnur irngi 

J 9b,i^ 9 r,1 1 'b 



^R.i ) ^^^\9 l,1t9rp 



mokmikr r 

’9L,k ^9R^k- 



h'^lkr 

"-k 5 



^R,i 
mok-mikT r 

’9L,k ^9R^k’ 









n Lirioir m( 

, /^l , . . . , , 

)•’ 



^9R,^ 



^R,i 



According to the DDH assumption it is impossible to tell whether a challenge 
(g, h, g'" , z) has z = or z chosen at random from G. This implies that it is 
hard to distinguish {g,h, g^ ,h^) and (g,h,g'',h~^). 

So given a challenge {g, h, g^ , z), where z = h'^ or z = 6“’’, we set hi = h 
and for all j i we compute hj = g^A where we choose Xj at random. We 
have now selected h\, . . . ,hk and carry out the rest of the key generation pro- 
cedure. This gives us a public key and a secret key. Now we run the first invo- 
cation of A on this challenge. A produces two challenge messages mg and mi. 
If triQi = mu we stop and guess at random a bit 6. However, if rngz yf mu then 
we set Vi = z. We may now set it up such that ^ = 6’”“*’’ gives us the challenge 



( imoir 



„r moimur imoi 

) 9l, 1’ 9R^i ) 'b 



mokmikr r rmikr 

’9L.k T9R,kP^k 



rii=i while z = gives us the challenge 

l r,r „rnoimiir trrioir ’ ..moimur r umur mokmikr r rmikr 

\9l,i^9r^i I'b T--TgL,i ’9R,iAL ’9R,kP''k ’ 

n^=i Since A can distinguish these two challenges 

this means we have broken the DDH assumption. □ 
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4 Rerandomizable RCCA Secure Encryption 

The WRCCA secure cryptosystem is not RCCA secure. First, let us ar- 
gue that the WRCCA secure cryptosystem from the previous section is not 
RCCA secure. So we are given a ciphertext 

and want to know whether it encrypts mo or mi. We simply transform 
it into We 

then submit this modified ciphertext to the oracle O 2 ■ If the encrypted message 
is mo then we have a new encryption of mo, and O 2 answers test. On the other 
hand, if the encrypted message is mi, then we have messed things up and O 2 
answers invalid. This means that we can distinguish between encryptions of 
the two possible plaintexts. 



Improving the cryptosystem to have RCCA security. In the following, we attempt 
to fix the WRCCA secure cryptosystem. The problem in the attack above is that 
the adversary can rerandomize the ciphertext in a way such that he depending 
on the message inside gets either test or invalid as the answer. To prevent 
this we wish for a cryptosystem where the adversary is forced to make a correct 
rerandomization, and if he does not then he has overwhelming probability of 
getting invalid as answer. 

To accomplish this we raise a to a random value Z. Rerandomization still 
works by raising all parts of the ciphertext to some random r' . Assuming the 
receiver knows this secret Z he can decrypt the ciphertext. On the other hand an 
adversary that does not know Z can only modify the proof in a meaningful way 
by raising the proof to some exponent. The adversary is therefore forced to either 
make correct rerandomizations or make some garbage. In particular he cannot 
use the previous attack where he with 50% probability creates a rerandomization 
and with 50% probability makes some garbage. 

For this to be a public key cryptosystem we need the sender to choose Z 
and transmit it to the receiver. Therefore, she encrypts Z and sends it to the 
receiver. Since we want to have perfect rerandomization we also need to be able 
to rerandomize Z and the encryption of Z. We therefore use a homomorphic 
cryptosystem with message space Z„ to transmit Z to the receiver. This could 
for instance be Paillier-encryption, Cramer-Shoup Lite encryption based on the 
decisional composite residuosity assumption or perhaps some elliptic curve based 
cryptosystem. 



Key generation: We set up the same public private keys {pk, sk) as in the pre- 
vious section. Generate also keys {pkn,skn) for an additively homomorphic 
cryptosystem with message space Z„. We demand that it is infeasible to find 
non-trivial factors of n. 

The public key is PK = (pk,pkn). 

The secret key is SK = {sk, skn). 

Encryption: Input: m G {—1,1}*^. 



EpK{m-, r, R, Z) = {gl,i,gh.i,hr’^, ..., gl,k,gkk, {Z- R)). 
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Decryption: Given a ciphertext Y = . . . ,UL,k,UR^k,Vk, P,y)- 

Compute Z = Dsk„{y)- Check that Z G Z*. Set a = (3^ . Finally, compute 

^ ^ sk (^L,l • ■ • j ^L.k^ ^R^kj ^k j ^) ■ 

If all checks and computations work out return m, otherwise return invalid. 
Rerandomization: Input: PK and a ciphertext Y. 



Format Y as u_r,i, Wi, ■ • ■ , /3, y). Check that all of these 

elements belong to appropriate groups. 

Select randomizers r',Z' ,R' . 

Return (u£ ^ ^ , . . . , ul ,^, , 



,EpkMR’)y''')- 



z'\ 



It is straightforward to verify that the cryptosystem is rerandomizable, and 
WRCCA security follows from the previous section. Left is the question whether 
it is RCCA secure. 

Speaking against this idea is the fact that the adversary does actually get 
access to a chosen ciphertext attack on the homomorphic cryptosystem. For in- 
stance, given a y, it may form (y£ . ,h^, y). Giving this ciphertext 

to O 2 it can learn whether y contains z or not. Of course, if the adversary can 
use queries like this to figure out Z of the challenge encryption, then it may use 
the attack on the WRCCA scheme to violate the RCCA security of the proposed 
cryptosystem. 



The semi-generic model. We are unable to prove security of the cryptosystem 
directly and likewise unable to break it. We therefore try to formulate a reason- 
able security model that says something about the security of the cryptosystem. 
Since random oracles are no good with respect to rerandomizable encryption we 
instead turn to the generic model, which has been explored in several papers 
including [11,12,13]. In other words, we will prove that if a generic homomor- 
phic cryptosystem over Z„ is used to encrypt Z, then the construction is RCCA 
secure. 

By a generic cryptosystem, we mean the following functionality. On an input 
(Encrypt, z) we choose y at random and store (z, y). On a query (Add, y, y') we 
look up whether y, y' have already been stored. In that case we select at random 
y" and store (z -I- z',y"). On input (Decrypt, y) we look up whether (z,y) has 
been stored for some z, and in that case we return z. Note that both adding a 
known value to an encrypted message and multiplying an encrypted message by 
some known number can be built from these two functions. This means that we 
allow use of the well-known homomorphic properties of cryptosystems such as 
Paillier encryption, CS-Lite encryption or elliptic curve based encryption. In the 
following, we use the shorthand [x] to denote a generic encryption of x. 

Encryption and decryption work as before, except we now use this generic 
cryptosystem to encrypt Z. The problem in the WRCCA case was that our oracle 
that just used left-decryption could not tell when to answer test and invalid, 
and indeed we showed with a concrete attack that this difference is important. 
We will argue that this problem goes away in the semi-generic model. 

Recall that in the intuition provided for our conjectured RCCA secure cryp- 
tosystem we imagined Z to be completely unknown to the adversary. Since the 
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adversary has access to a chosen ciphertext attack it is not possible to use se- 
mantic security of the encryption of Z to argue RCCA security. The semi-generic 
model intuitively corresponds to a “perfect” encryption of Z, which at the same 
time has the needed homomorphic property. 

Theorem 2. The cryptosystem described above is RCCA secure against semi- 
generic adversaries under the DDH assumption and the collision-freeness of the 
hash-function. 

Proof. Consider the definition of RCCA security. We will replace the or- 
acle O 2 with a different oracle O'. O' works like O 2 except when seeing 
a ciphertext Y that left-decrypts to mo and right-decrypts to m\. In this 
special case it will check whether the proof a is valid with either h(mo) or 
h(mi). In those two cases, O' returns test, while in all other cases it acts like O 2 . 



Just as in the proof of Theorem 1 we consider probabilities po, ... ,pe that 
we define the following way: Pi = Pr[{pk, sk) ^ Al(); (wq, mi) ^ (pk); y ^ 

Chali : A'^{y) = 1], where Chab for the various probabilities gives the following 
challenges, and in po,Pe we use 0 = 02, while in pi,p 2 ,pz,PA we use 0 = 0'. 



Po 

Pi 

P2 

P3 

Pi 

P5 

Pe 



[Z]). 

( moitnoir imoiV /'TT^ kL.i+lh.iC^o) kR,i+lR,iC'"''o) 

■ yyL.i^yRy j Uj > ■ ■ ■ > U li=l “L,i 

( umoir ('TT^ fci.i-l-ir ,ih(mo) fcK,i-l-iK,ih(mo) 

■ ^yL.RyR.i Ah > ■ ■ ■ > Uli=l “L,i 

( ^mar /'TT^ kL,i-t-lL,ih(mi) kji^i-t-lR,ih(mi) 

(■ ■ ■ yyL.iyyR.i ; '‘i > ■ • ■ ) U li=l “L,i 









^ra 

(ff£,i, 5 £,i. > 9lk^ 9kk,hr'‘^, [Z]). 



)^AZ]). 

)^[z]). 

)Mz]). 



To prove that the cryptosystem is RCCA secure we need to prove that po « 
Pe- Po ~ Pi according to Claim 21. pi « p 2 according to Claim 22. p 2 « ps 
according to Claim 22. p^ « p 4 follows from a similar argument as we gave 
for Claim 14 in the proof of Theorem 1. P 4 ~ Ps follows from a quite similar 
argument as the one given for Claim 22. ps « pg likewise follows from the proof 
of Claim 21. 



Claim 21. po «pi. 

Proof. Both challenges are computed the same way. The difference between the 
probabilities is the oracles O 2 and O' . However, we will argue that it is infeasible 
even for a computationally unbounded adversary A to distinguish between the 
two oracles as long as it may only make a polynomial number of queries, and even 
if A is allowed to freely make decryption queries to the generic cryptosystem. 

The information available to A about kr^i, . . . ,lR^k is what 

it can tell from c and d and the challenge. Consider a query 

(u'j^ i, u'j^ i, v'l, . . . , u'j^ 1 ^, u'j^ i., v'f., P' , [Z '] ) . Calling the respective discrete 
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logarithms rL,i,rR^i,ri, . . . , tl, k, tr, k, rk, Z' log{a') we get the following system 
of linear equations. 



/ 1 1 ••• 0 0 •••\ 

0 0 ••• 1 1 

r r ■ ■ ■ rh(mo) rh(mo) • • • 

V^’L.i rR^i ■ ■ ■ rL,ih(m) rR^ih{m) ■ ■ ■ J 



/log(5L.i)fcL,i \ 

l0g(ffL,l)^L,l 

^og{gR,i)lR,i 



V J 



( log(c) \ 
log(d) 
log(a) 

\log(a')/ 



If the query is to return something else than invalid with more than negli- 
gible probability then A must use = tr^i = ■ ■ ■ = rR,k = fR^k- But on such 
queries O 2 and O' work the same way. 



Claim 22. p\ «p2- 



Sketch of proof. Just as in Claim 11 in the proof of Theorem 1 we may argue 
that we can break the DDH assumption if A distinguishes between the two 
challenges. The difference between Claim 11 and Claim 22 is the oracles that are 
used. However, here we may also argue just as in the proof of that claim that 
left-decryptions work just as well as right-decryptions. This follows from Claim 
23. 



Claim 23. The oracles Of, O'^ that only left-decrypt ciphertexts give the same 
answers as 0\,0' . 

Proof. We look at the difficult case, namely whether O' and O'^ answer the 
same. Consider the information available to an adversary regarding feip, . . . , lR,k- 
There is c, d and possibly a fake ciphertext. From this it must create a ciphertext 
with “proof” (3' . Since we are using a generic cryptosystem for storing Z, the 
adversary must store some value f{Z) in the homomorphic encryption. With the 
generic cryptosystem f{Z) = aZ + b mod n with a, b known to the adversary. 
Defining 6i = moimu we get the following system of linear equations in Z„. 



/log(gL,i)fcL,i \ 



/ 1 1 . 


0 


0 






log(5fi.i)fcfl,i 




( log(c) \ 


0 0 • 


1 


1 








log(d) 


r r5\ ■ 


• rh(mo) 


rJih(mo) • 






l0g(5L.l)^L.l 


— 


log(/3) 

z 


V^’L.l Tr^i ■ 


• rL,ih(m 


) rR^i\\{m) • 










log(/3 ) 

V f{Z) / 



V ) 

It is immediate that for any query with noticeable chance of being valid we 
must have some rr = rr^i for all i. Reducing the matrices we get 



/I 


1 


• 0 


0 


log(c) \ 


0 


0 


• 1 


1 


log(d) 


0 Ji-i • 


•0 (Ji- 


- l)h(mo) ••• 


log(c) h(mo) log(d) 


\0rR^i - rR ■ 


■ 0 (r^,! 


- rR)h{m) ■ ■ ■ 


fiz)^ ?"Llog(c) rLh(m) log(d) y 
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If we have = ra^i for all i then the left-decryption corresponds to the real 
decryption and both pairs of oracles answer the same. Assuming we are not in 
this trivial situation we can argue that for all i with <5^ = 1 we have 
Similarly we have some rn such that for all the other i’s we have r/j = 

We also see that m = mo by the collision-freeness of the hash- function. Adding 
times row three to row four we get: 



/I 1 • 


•• 0 


0 


log(c) \ 


0 0 • 


• • 1 


1 


log(d) 


0 - 1 • 


• • 0 (Ji 


- l)h(mo) • • • 


fP log(c) h(mo) log(d) 


0 0 • 


0 


0 


PP rRlog{c) rih(mo) log(d) 


V 






h(mo)log(d))/ 



We must therefore have 

~ + ^«)(log(c) + h(mo)log(d)) -f {tr - = 0 mod n. 

J(Zj rZ 

This implies 

21og(/3')’'-^-(^i+’'fl)(log(c) + h(mo) \og{d))rZf{Z) + {rR-rL) \og{/3)f{Z) = 0 mod n. 

Since we use a generic cryptosystem the adversary cannot produce anything but 
f{Z) = aZ+b with a and b known. We then get a degree 2 polynomial on the left 
side of the equation. Since Z is unknown, the adversary can only have a chance 
at producing correct proofs by making sure that it is the zero-polynomial on the 
left side. 

So if the left side of the equation is the zero-polynomial then we get {vr — 
vr) log(/3)6 = 0 mod n. Since b cannot be a non-trivial factor of n this implies 
b = 0 or tr — rR = 0. In the latter case both right- and left-decryption is the 
same and we are done. We therefore continue under the assumption that b = 0. 

Considering the Z^-part we get (r 2 ,-l-rfl)(log(c)-|-h(mo) log(d))ra = 0 mod n. 
This implies a = 0 or r/j = —rR. However, a = 0 would mean that y' contains 
OZ -I- 0 which automatically leads to the response invalid by both the real 
oracles and the left-oracles. On the other hand if we have tr = —tr then we 
have for all z’s where Si = —1 that rR = SiVR. Since the left-decryption is mo 
then this implies a right-decryption to mi. But also in this case we then have 
the left-oracles give the same answer as the real oracle. 

Remark 1. It is worth noting that even if we allow other types of mauling of the 
generic cryptosystem, we may have security. In particular, if we allow it to be 
algebraically homomorphic (i.e., both addition and multiplication of plaintexts 
is possible) this does not break our construction. In that case /(Z) becomes a 
polynomial in Z with a polynomial number of different roots and we can use 
arguments similar to the one above to show that the left-oracles works the ame 
way as the real oracles. 
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Claim 24. p 2 « ps 

Proof. Assume WLOG that A is computationally unbounded (but may only 
make a polynomial number of queries to the oracles) and knows the secret keys 
except kr,!, ■ • • , lR,k- We may argue from Claim 13 in the proof of Theorem 1 
that it does not have any information on h(mh) from the challenge itself, and 
therefore cannot distinguish the two experiments without making oracle queries. 

Let us consider the oracle queries that it may make. We label the discrete log- 
arithms of a successful query {uf ^,v[, . . . ,uf (a')^ , \Z']) with 

■ • ■ ,''’L,fc,r_R,fc,rfc, We then have the following system of 

equations. 



/ 1 1 ••• 0 0 •••\ 

0 0 ••• 1 1 

r rSi • • • rh(mb) rSih{mb) ■ ■ ■ 

\rL,i ■ ■ ■ rL,iHm) rR^ih{m) ■ ■ ■ J 



/log(gL,i)fci,i \ 

log(5L.i)^L,i 

log(5fl,i)^fl,i 



V ) 



( log(c) \ 
log(d) 
log(a) 

\log(a')/ 



We see that there is an element tr such that for all i we have = tr. 
Reducing the matrix we get. 

/I 1 •••0 0 •••\ 

0 0 •••1 1 

0 (5i — 1 • • • 0 (<5i — l)h(mt,) • • • 

\0 • • • 0 {tr^i - rR)h{m) ■ ■ ■/ 

Unless TR^i = rR for all i, then h(m) = h(mh) and VR^i = tr^i for all i. Those 
two options correspond to respectively make a new ciphertext, or rerandomize 
the challenge. In either case, A does not learn anything new from 0'’s answers. 

□ 



Theorem 2 tells us is that the scheme is RCCA secure against semi-generic 
adversaries that only use standard group operations on the encryption of Z. 
We can instantiate the cryptosystems with many possible homomorphic cryp- 
tosystems, for instance Paillier encryption, CS-Lite encryption or elliptic curve 
encryption. We could also use a multiplicative homomorphic property instead 
and use standard RSA to encrypt Z. To break the scheme we would have to come 
up with some non-standard way of mauling these cryptosystems. We believe such 
a result would be highly interesting in itself. 



5 Discussion 

To evaluate our results we find it useful to compare them with the development 
of standard CCA2 secure public key encryption. In this process, Naor and Yung 
[14] invented a CCAI secure encryption scheme. Dolev, Dwork and Naor [I] then 
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suggested a CCA2 secure cryptosystem. Several years after this Cramer and 
Shoup [3] suggested the first practical CCA2 secure cryptosystem. Furthermore, 
several schemes have been proposed that are secure in the random oracle model. 
A proof of security in the random oracle model is not a real proof of security, 
but it is better than no proof at all. 

With respect to rerandomizable encryption our intuition is that WRCCA 
secure encryption is a step on the way. WRCCA secure encryption may have its 
uses, however, as CCA2 secure encryption is the standard for public key encryp- 
tion we think RCCA secure encryption is the right standard for rerandomizable 
encryption. As stated earlier we believe coming up with a rerandomizable RCCA 
secure encryption scheme is a very hard task, and certainly an interesting open 
problem. In lack of such a scheme, we have suggested using another security 
paradigm, namely RCCA security against semi-generic adversaries. Just as prov- 
ing CCA2 security in the random oracle model is not the same as proving CCA2 
security in the standard model, proving RCCA security in the semi-generic model 
is not the same as proving RCCA security in the standard model, but it is better 
than no proof at all. 



Acknowledgments. Moni Naor suggested the idea of rerandomizable encryp- 
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the research. Thanks goes to Alon Rosen and Jesper Buus Nielsen for discussions. 
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A Appendix 

Theorem 3. The directed graph in Figure 1 describes completely the relations 
between our security notions. ATTl security implies ATT2 security if there is 
a path from ATTl to ATT2. If there is no path from ATTl to ATT2, then a 
cryptosystem with ATTl security implies the existence of a ATT2 secure cryp- 
tosystem, which is not ATTl secure. 

Sketch of proof. It is trivial to follow each arrow and see that it leads to a weaker 
security notion. 

We list the constructions that can be used to separate the security notions. 
To show that ATTl ATT2 we assume that {K, E, D) is an ATTl secure 
cryptosystem and present {K', E' , D') that is ATTl secure but not ATT2 secure. 
K' , E' will be as follows 

Key generation: K' runs {pk,sk) ^ K{)- ^ also selects at random a seed s 
for a pseudorandom function PRF and a random nonce r. It returns {pk' = 
{pk, r), sk' = {sk, r, s)). 

Encryption: E'^^,{m-,r) = (0,Epfc(m)). 

Left is to describe how D' works, which we do in the table of inputs and corre- 
sponding outputs in the table below. 

RCCA+PAl ^ CCA2 : 

(0,y) ■. Dsk{y) 

(1,2/) :PRF,(2/) 

(2,p,y) : If p = PRFs( 2 /) return Dsk{y), else return invalid. 
WRCCA+ATT ^ RCCA, where ATTg{RPA1,RPA1+PA0,PA1} 

( 0 , 2 /) : Dsk{y) 

(1,2/) : PRF, (2/) 

(2,p,m,y) : If p = PRF,( 2 /) and m = Dsk{y) return m, else return invalid. 
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CCA2 

RCCA+PAl 




RCCA+PAO WRCCA+PAl 




RCCA WRCCA+RPAl+PAO 




WRCCA+RPAl WRCCA+PAO 




WRCCA+RPAO RPAl 




PAl 

RPAl+PAO 

I 

WRPAl+PAO 



WRCA 




WRPAl+RPAO CCAl+PAO 





t 



WRPAl CCAl+RPAO PAO 




CCAl+WRPAO RPAO 



WRPAO 

CPA 





Fig. 1. Relations between security notions. 
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ATT ^ WRCCA, ATT6{PA1,RPA1+PA0,RPA1,WRPA1+RPA0,WRPA1} 

( 0 , 1 /) : D,,(y) 

(l,y) :PRF,(//) 

{2,p, m, y) : If p = PRF,(i/) and in = D,t,(y) rcliim yes, else rctiini invalid. 
CCAl+ATT ^ WPAl, where ATT6{PA0,RPA0,WRPA0, nothing} 

(0,v/) : Osk(n) 

(l,r) : .s 

(2,.‘i,.y) : 

ATT ^ CCAl, where ATTe{PAO,RPAO,WRPAO,CPA> 

(0,1/) : C,*(j/) 

( 1 , r) : .s 
(2,s) : sk. 

ATT ^ WRPAO, where ATTe{ CPA, CCAl} 

( 0 , 1 /) : D,k(y) 

[l,m,y) : If m = £>«*(!/) then return yes, else return invalid, 

ATT ^ RPAO, where ATTe{WRPAO,CCAl+WRPAO,WRPAl, WRCCA} 

(0,;i/) : D,k{y) 

(l,m,i/) : If m = D„k(y) then return m, else return invalid. 

ATT ^ PAO, where ATT6{RPA0,CCA1+RPA0,RPA1,WRCCA+RPA0} 

(0,2/) : /l«/t(j/) 

(1,2/) : £>«*(j/)- 

ATT ^ RPAl, ATT6{WRCCA,WRCCA+PA0,WRPA1+RPA0,WRPA1+PA0} 
( 0 , 2 /) D,k{y) 

(1, r) : s 

(2, s,m,jt) : If m = D,k(y) then return m, else return invalid. 

ATT ^ PAl, ATTe{WRCCA+RPAl+PAO,RPAl+PAO,RCCA+PAO} 

(0,2/) ■D.Uy) 

(l,r) :s 
{2,s,y) : P^kiy)- 

□ 

It is interesting to note that Theorem 3 implies that a cryptosystem that 
is both IND-CCAl secure and NM-CPA secure is not necessarily NM-CCAl 
secure. This combination was not considered in [15]. 
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Abstract. We explore whether non-malleability is necessary for the ap- 
plications typically used to motivate it, and propose two alternatives. 
The first we call weak non-malleability (wnm) and show that it suf- 
fices to achieve secure contract bidding (the application for which non- 
malleability was initially introduced), despite being strictly weaker than 
non-malleability. The second we call tag-based non-malleability (tnm), 
and show that it suffices to construct an efficient universally-composable 
secure message transmission (SMT) protocol, for which the only previ- 
ous solution was based on a public key encryption functionality whose 
security is equivalent to non-malleability. We also demonstrate construc- 
tions for wnm and tnm encryption schemes that are simpler than known 
constructions of non-malleable encryption schemes. 



1 Introduction 

Non-malleability [11] is a security condition for encryption schemes that requires, 
informally, that an attacker given a challenge ciphertext be unable to produce an- 
other, different ciphertext so that the plaintexts underlying the two ciphertexts 
are “meaningfully related” to each other. Non-malleability is the strongest com- 
monly considered notion of security for encryption, being strictly stronger than 
indistinguishability [14] under chosen-plaintext or indifferent chosen-ciphertext 
(“lunchtime”) attacks, and being equivalent to indistinguishability under adap- 
tive chosen-ciphertext attacks [1]. 

In this paper we revisit the definition of non-malleability with an eye to- 
ward whether it is necessary for applications commonly used to motivate it. 
Our contributions in this study are twofold. First, we identify alternatives to 
non-malleability that suffice for applications where previously non-malleability 
seemed warranted. Second, we identify encryption schemes that implement these 
variants and that are conceptually simpler than known non-malleable schemes. 

The alternative definitions that we propose deviate from non-malleability 
in different ways. The first notion, which we call weak non-malleahility (wnm), 
identifies a point in the space of definitions strictly between non-malleability 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 171-190, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




172 



P. MacKenzie, M.K. Reiter, and K. Yang 



and indistinguishability (in those cases where there is room between them, i.e., 
under chosen-plaintext and lunchtime attacks). Informally, wnm allows mauling 
of a ciphertext c, but such that this mauling does not benefit the adversary. In 
particular, a mauling that produces a valid ciphertext c' would imply that the 
adversary has successfully guessed the plaintext corresponding to c, and thus for 
many natural applications, this mauling would not be useful. In other words, in 
such applications, wnm should suffice in place of non-malleability. As an example, 
we show that a wnm encryption scheme suffices to implement a secure contract 
bidding auction in the spirit of that originally used to (informally) motivate 
non-malleability [11]. Still, wnm does allow an adversary to produce a ciphertext 
c' that has a (very restricted) dependence of a given ciphertext c, and we can 
in fact show that wnm is a strictly weaker property than non-malleability. In 
addition, we show that this weaker property may be satisfied by very simple 
encryption schemes similar to those used in Bellare and Rogaway [2] to achieve 
the (even less stringent) property of indistinguishability under chosen-plaintext 
attacks [2].^ These schemes assume p is a prime, H is a hash function (modeled 
by a random oracle in our security analyses) with range a group X with group 
operation and / denotes a trapdoor permutation that constitutes the public 
key (with the trapdoor being the private key) : 

Mult-Range scheme. The encryption of m is if (m) = < f{r), H{r)-m> where 
r is chosen randomly (per encryption) from the domain of /, the plaintext 
space is an integer range [a, b] satisfying 0<a<b<p, a>{b — a)^ and 
p > 2b^, and A = Z* with • being multiplication in Z*. 

Mult- Adjacent scheme. The encryption of m is if (m) = <f{r), H{r)-{m,m+ 
1)> where r is chosen randomly (per encryption) from the domain of /, the 
plaintext space is Z* \{p— 1}, and A = Z* x Z* with group operation • being 
component-wise multiplication in Z*, i.e., (xq,Xi) ■ (po,yi) = (xoPoi 
Add-Square scheme. The encryption of m is E{m) = <f{r),H{r)-{m,m'^)>, 
where the plaintext space is Z*, and X = Zp x Zp with group operation • 
being component-wise addition in Zp, i.e., (xo,xi)-{yo,yi) = (xo+yo,xi+yi). 

For some intuition behind weak non-malleability, consider the Mult-Range 
scheme above. Without the range restriction on the plaintext space, this scheme 
would be completely malleable (similar to the first scheme introduced in [2]). 
However, simply by restricting the range of plaintexts (as opposed to, e.g., adding 
an additional hash for verification/redundancy, as is done in [2] to achieve non- 
malleability) we are able to achieve wnm. Informally, this is because any mod- 
ification of a ciphertext (v,w) to {v,w') implies a multiplying factor w'/w for 
which there is only a single plaintext in the range that would be transformed 
into another plaintext in the range. 

^ While there exist efficient encryption systems that implement indistinguishability 
under adaptive chosen-ciphertext attacks (and thus non-malleability under these 
attacks, e.g., [2,8]), we are unaware of prior constructions that, like those listed here, 
so simply implement a property strictly stronger than indistinguishability (in this 
case, weak non-malleability) under chosen-plaintext and lunchtime attacks. 
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The second alternative to non-malleability that we propose is called tag-hased 
non-malleability (tnm). Here, we structurally modify encryption and decryption 
to take an additional public string argument called a tag. Informally, tnm dictates 
that an adversary be unable to create a (ciphertext, tag) pair with plaintext 
related to that of the challenge ciphertext and with the tag being different from 
the challenge tag, even though it is able to obtain decryptions of (ciphertext, tag) 
pairs with any tag different from the challenge tag. We demonstrate the utility of 
tnm by using it to implement the “secure message transmission functionality” in 
the universal composability framework of [5], replacing the use of non-malleable 
encryption there, and arguably providing a more natural implementation, tnm 
also admits exceedingly simple implementations, e.g.: 

Tag-based scheme. The encryption of m with tag t is E{m,t) = 
<f{r), H{r, t)-m> where r is chosen randomly (per encryption) from the do- 
main of /. The plaintext space is Z*, and Ai = Z* with • being multiplication 
in Z*. 

We also present a tnm construction that is a (simpler) variation of the Cramer- 
Shoup encryption scheme [8,9]. The change in structure for encryption and de- 
cryption (specifically due to the tag) does not permit us to argue that tnm 
is definitionally weaker than non-malleability. However, given a non-malleable 
encryption scheme, it is trivial to implement a tnm scheme using it with no 
additional assumptions or loss in security. We also show how to implement a 
non-malleable scheme using a tnm scheme and a one-time signature scheme. 



2 Preliminaries 

Trapdoor Permutations [2,15] A permutation generator G* is a probabilistic 
polynomial time algorithm that takes as input and outputs three polynomial- 
time algorithms (f,f~^,d), the first two being deterministic, and the last being 
probabilistic. The range of d(l^) is required to be a subset of {0, 1}^, and /, 
are permutations over the range of d(l^), and are inverses of each other. G* is a 
trapdoor permutation generator if it is a permutation generator such that for all 
non-uniform polynomial-time algorithms A, Pr[(/, f~^,d) ^ G*(l^); x ^ d(l^); 
y ^ f{x) : w4(/, d, y) = a;] is negligible. It is commonly assumed that, for exam- 
ple, RSA is a trapdoor permutation. 

Encryption schemes An encryption scheme 77 is a triple (G, E, D) of algorithms, 
the first two being probabilistic, and all running in polynomial time. G takes as 
input 1^ and outputs a public key pair {pk, sk), i.e., {pk, sk) G(l^). E takes a 
public key pk and a message m as input and outputs an encryption c for m; we 
denote this c<— Epk{m). D takes a private key sk and a ciphertext c as input 
and returns either a message m such that c is a valid encryption of to, if such 
an TO exists, and otherwise returns T; we denote this to Dak{c). 
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As discussed in Section 1, indistinguishability [14] is the most commonly 
studied goal for encryption. Here we adopt definitions ind-cpa, ind-ccal, and ind- 
cca2 from [1]. Below we give the definition of non-malleability from Dolev, Dwork 
and Naor [11], as written explicitly as the simulator-based non-malleable (snm) 
definition in Bellare and Sahai [4].^ In this definition and throughout, we use 
atk to denote one of {cpa, ccal, cca2} and define oracles Oi and O2 as follows: 

atk = cpa ^ Oi(-) = e, 02(-) = e 
atk = ccal ^ Oi(-) = Hsfc(-), C>2(-) = e 
atk = cca 2 ^ Oi(-) = D,k(-),02(-) = Dsk{-) 

Definition 1 (snm-cpa, snm-ccal, snm-cca2). Let II = (G,E,D) be an en- 
cryption scheme, let R be a relation, let A = (^1,^2) be an adversary, 
and let S = {81,82) be an algorithm (the “simulator”). For k € N define 

= Fr[Exp^^y^\R,k) = 1 ] - Pr[Expt^"^'=*^(i?, yfc) = 1 ], where 



Expt“(A,fc) : 


Expt^"-=‘^(R, k) : 


{pk,sk)^G{l'“) 


{pk,sk)-i-G{l’‘) 


{M, si, S 2 ) ^ (pfc) 


(M, si, S2) -s- Si{pk) 


a; <— M 


a; M 


y -s- Epk {x) 
y ^ Af‘^{s 2 ,y) 


y ^ 52(32) 


X ■«- Dsk{y) 


X ■«- Dskfy) 


Return 1 iff 1 / ^ y A R{x, x, M, si) 


Return 1 iff R{x, x, M, si) 



We say that II is secure in the sense o/snm-atk for if for every polynomial q{k), 
every R computable in time q{k), every A that runs in time q{k) and outputs 
a valid message space M samplable in time q{k), there exists a polynomial-time 
algorithm 8 such that Adv^'J k) is negligible. 

Technically, for our definitions to hold with respect to random oracles we would 
need to explicitly include a random oracle in our experiments. However, this can 
be done in a standard way, and for readability it is not included. 



3 Weak Non-malleability 

3.1 Definition 

Here we propose a definition for weak non-malleable (wnm) encryption schemes. 
As in Definition 1, a wnm-secure encryption scheme requires the existence of 
a simulator 8 (not given a challenge ciphertext y) that has roughly the same 
probability as an adversary A (given y) of generating a vector y of ciphertexts 
for which the plaintext vector x bears some relationship R with the plaintext x 

^ Actually we slightly modify the definition of [4] so as to not require that every 
element of y decrypt to a valid plaintext. This is needed for the equivalences stated 
in [4] to hold. 
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of y. In the wnm definition, the adversary experiment will take exactly the same 
form as that in Definition 1. The difference lies in the simulator experiment 
and the form of S. Specifically, S is permitted to make each element yi of y 
contingent upon a “guess” Zi as to the value of x. That is, relation R tests x 
against a vector x where each element xi is the plaintext of the corresponding 
yi in y if either S guessed x or offered no guess (i.e., guessed T), and where Xi 
is T otherwise. 

It is easy to see that any snm-secure encryption scheme is also wnm-secure, 
since the wnm-simulator is simply given more power. It is perhaps not as easy 
to see that this power is sufficient to allow a wnm-secure scheme that is not 
snm-secure, but we will show that in fact this is the case. For example, the wnm- 
schemes presented in the introduction are not snm-secure in the random oracle 
model. ^ 

The precise definition of wnm security is as follows. 

Definition 2 (wnm-cpa, wnm-ccal, wnm-cca2). Let II = (G,E,D) be an 
encryption scheme, let R be a relation, let A = (Ai,A 2 ) be an adversary, 
and let S = (5i,52) be an algorithm (“simulator”). For /c S N define 

k) = Pr[Expt7^-=*^(i?, k) = l]- Pr[Expt^;’;?-=‘^(i?, k) = 1], where 



Expt“^(i?,fe) : 


Expt“^(R,fc) : 


{pk,sk)^G{f^) 


(pk,sk)-i-G{l’‘) 


(M,si,S 2) <^Af^{pk) 


(M, si, S2) -s- Si(pk) 


a: <— M 


a; <— M 


y^Epk{x) 




y-^A2^{s2,y) 


(y,z) ^52(52) 


X ■«- Dsk{y) 


D^fc(y,z,a;) 


Return 1 iff (j/ ^ y) A R{x, x, M, si) 


Return 1 iff R{x,x, M, si) 



and D(j^(y,z,x) returns the decryption of each yi € y for which Zi = x or 
Zi = T, and returns T for each other index. We say that II is wnm-atk-secwre 
if for every polynomial q{k), and every A that runs in time q{k) and outputs a 
valid message space M samplable in time q{k), there exists a polynomial-time 
algorithm S such that for every R computable in time q{k), Adv 7Xn\R,k) zs 
negligible. 

The proofs of the following lemmas will appear in the full version of the paper. 
Lemma 1. For any atk G {cpa, ccal, cca2}, snm-atk => wnm-atk ind-atk. 



Lemma 2 (ind-ccal wnm-cpa). If there exists an ind -ccal -secure encryption 
scheme, then there exists an ind-ccal-secure encryption scheme that is not wnm- 
cpa -secrtre. 

® Actually, it is much easier to see that they are not comparison-based non-malleable 
(cnm) [4], and then use the result in [4] that simulation-based non-malleability im- 
plies comparison-based non-malleability. Also, note that our separation result in 
Lemma 3 holds not just in the random oracle model, but in the standard model. 
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Lemma 3 (wnm-ccal ^ snm-cpa). If there exists an snm-ccal-secttre encryp- 
tion scheme, then there exists a wnm-ccal-secttre encryption system that is not 
snm-cpa-secwre. 



3.2 Constructions 

In Section 1, we introduced several constructions for wnm-secure encryption, 
denoted “Mult-Range”, “Mult-Adjacent” , and “Add-Square”. Our goal in this 
section will be to prove Lemma 4. 

Lemma 4. The Mult-Range, Mult- Adjacent, and Add-Square schemes are all 
wnm-atk secure, for atk G {cpa,ccal}. 

In fact, we prove a more general result. We show a general construction 
of weakly non-malleable encryption schemes, of which the three constructions 
above are special cases. We first introduce a notion called “uniquely identifiable 
subset,” which we will use in our general construction. 

We say a sequence of sets X = {Xk}k>o, C {0, 1}*, is efficient if there 
exists a polynomial p(-) such that membership in Xk can be tested in time p{k). 
For simplicity, we often abuse notation by referring to the sequence {Xk} as “the 
efficient set A” and omitting the subscript k, although it should be understood 
that A is a sequence of sets. We extend this notation to groups, too, i.e., when we 
say “A is an efficient finite group,” it should be understood that A = {A^} is in 
fact a sequence of finite groups, whose membership can be efficiently determined. 
Furthermore, for efficient sets A and S, we use the phrase “S is a subset of A” 
as shorthand for “for every k, Sk is a subset of A^.” 

Definition 3 (Unique Identifiability). Let X be an efficient finite group with 
identity element e, and let S be an efficient subset of X. We say S is a uniquely 
identifiable subset of A, if for every A G A\{e}, there exists at most one x\ G S, 
such that X ■ x\ G S and for any other x G S,x x\, X ■ x ^ S. Here “■ ” is the 
group operation. We call x\ the soft spot for X. If no such x\ exists, we write 
this as x\ = _L. We denote the soft spot of X by ss(A). 

Furthermore, we say S is an efficient uniquely identifiable subset of X, if 
there exists a polynomial-time algorithm A that outputs x\ on input X. 

Putting the definition in our context, A is the space of all messages and 
S is the set of all “valid” messages. The group operation is a “mauling” 
function the converts an encryption of x to an encryption of A • a;, and we call 
A the “mauling factor.” The unique identifiability indicates, therefore, for every 
mauling factor A, there is at most one valid message x\ that can be mauled into 
another valid one (all other valid messages are mapped to invalid ones). For an 
efficient uniquely identifiable subset, one can in fact find x\ efficiently. 

Next, we give several examples of efficient uniquely identifiable subsets, which 
are closely related to the Mult-Range, Mult-Adjacent, and the Add-Square 
schemes. 
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Example 1 (Mult- Adjacent). Let X = Z* x Z* with the group operation being 
component-wise multiplication in Z*, i.e., {xq,Xi) ■ (t/ojJ/i) = (^o ' Voi ‘ di)- 
Let S' = {(cc, a; -I- 1) I a; G Z*}. 



Example 2 (Add-Square). Let X = Zp x Zp, with the group operation being 
component-wise addition in Zp, i.e., (a;o,a;i) • (yo,yi) = {xq -\- yo, Xi -\- yi). Let 
S = {{x,x^) I X G Zp}. 



Example 3 (Mult-Range). Let X = Z* with multiplication as the group opera- 
tion. Let S = {a, ..., b}, where a > {b — a)^ and p > 26^. 



Lemma 5. All three examples above are efficient uniquely identifiable systems. 

The proof of Lemma 5 is straightforward for Mult-Adjacent and Add-Square; 
Mult-Range is not straightforward, however. The proof will be provided in the 
full version of the paper. 

Now we present our general construction of wnm encryption schemes. 

Construction 1 Let X be an efficient finite group. Let S be an efficient 
uniquely identifiable subset of X , and H : {0, 1}* X be a hash function. Let 
G* be a trapdoor permutation generator. We construct an encryption scheme as 
follows. G runs G* to get (f,f~^,d), and sets pk = <f,d>, and sk = f~^. 
The plaintext space of Epk is S.'^ To encrypt a message m, Epk{m) generates 
r d{ffi) and returns <f{r),H{r) ■ m>, where “■ ” is the group operation in X. 
To decrypt a ciphertext c = {a, (3), Dsk{c) computes m = (3 ■ {H{f~^{a))~^), 
returns m if m € S, and T otherwise. 



Lemma 6. Following the notation in Construction 1, if H{-) is a random oracle, 
then Construction 1 is wnm-atk secure, for atk G {cpa,ccal}. 

The proof of this result is in Appendix A.l. 

3.3 Applications 

In this section we show that weak non-malleability suffices to implement a se- 
cure contract bidding system between two bidders. Intuitively, in an ideal con- 
tract bidding system, each of two bidders would submit its bid to a trusted 
authority through a secure channel (so that the messages are both secret and 
authenticated). In a real contract bidding system, however, it may be the case 
that a dishonest bidder may be able to see the encrypted bid from an hon- 
est bidder before it submits its own bid. In either case, we assume there is a 

More precisely, we assume a one-to-one correspondence between plaintexts and ele- 
ments of S, and efficient encoding and decoding functions to map plaintexts to and 
from elements of S. 
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public “award” function over these input bids. Depending on the application, 
the award function varies. For example, the simplest award function can be 
Award ( (xo, Xi)) = {yo,yi), where yi = Xi if Xj = min{xo,Xi} and yi = 0 other- 
wise. This indicates the rule that the lowest bidder wins, with the award being 
his bid, and the other bidder loses and thus has zero award. (We assume a unique 
minimum between the bids, otherwise nobody wins.) Other forms of the award 
function exist. 

We specify our contract bidding system as follows: 

Setup: A bidding system consisting of two bidders Bq,Bi and an award func- 
tion Award. There is also a bidding upper bound U > 0, such that the only 
valid bids are integers between 0 and U . Both bidders are given U and the 
award function Award. 

Award function: The function Award : {T, 0, 1..., C/}^ — >■ {0, 1, ..., takes 
the bids from the bidders and computes their awards, respectively.® We 
say an award function is fair, if for any x = (xo,Xi) and any i € {0, 1}, 
Award(x|j^_>[j])[i] < Award(x)[i], and Award (x|3,j_._>[i])[f] < Award(x)[i]. 
Here we use x|y_,.[j] to indicate the vector obtained by replacing the tth 
entry of x by j/ and we use x[f] to indicate the zth entry of x. Intuitively, 
the fairness indicates that Bi would not gain any advantage in profit by 
changing his bid to T or to Bi-fs bid. We note that fairness is a reasonable 
requirement for bidding systems to be “useful.” 

Real Adversary: To model security, we consider an adversary A = {A\,A2) 
that corrupts bidder B\. A\ receives the public key pk and U , and outputs a 
polynomial-time samplable distribution M of bids, from which a bid bido is 
chosen for Bq. A2 is then given the ciphertext of bidp and outputs encrypted 
bid ebidi for B\. The profit of the adversary is the award of B\. 

Definition 4 (Secure Contract Bidding). Let CBS be a contract bidding 
system with bidding upper bound U and encryption scheme II = {G,E,D). 
CBS is secure if for every fair award function Award, every polynomial q{k), 
every adversary A = (Ai,A2) that runs in time q{k), there exists a polynomial- 
time simulator S = {81,82) such that Adv^°^*(-g5(fc) is negligible,^ where 

AdvD(° 5 XBs(*) '= ^[ExptXcBs(fc) - Expt 5 “Bs(fc)]> o-nd 



Expt:i=^Bs(fc) : 


Expt-J'Bs(fc) : 


{pk, sk) ^ G{l'^) 




{M,s)^Ai{pk,U) 


(M,s)^ 5 i(f 7 ) 


bido M 


bido M 


ebido ^ Apfc(bido) 




ebidi A2(ebido, s) 


bidi •«— 52(5) 


bidi -s— Dsfc(ebidi) 




return Award((bido, bidi))[l] 


return Award((bido, bidi))[l] 



® We insist that the award function be a positive function. However, this is entirely 
arbitrary, since one can always “shift” the award function by a constant without 
changing its nature. 

® It may be negative, in which case we also consider it to be negligible. 
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It is clear that if the encryption scheme II is malleable, then the system 
might not be secure. For example, consider the scheme where message m is 
encrypted as <f{r),H{r) -|-TOmodp>, where /(•) is a trapdoor permutation 
and H a random oracle. It is an ind-cpa-secure scheme, but the real bidding 
system is not secure, since an adversary seeing the bid <a, P> from bidder Bq 
can submit bid <a, P — 1>, and underbid Bq by 1. It is also obvious that if II 
is snm-cpa-secure, then the bidding system is secure. The next theorem shows 
that in fact wnm-cpa-security suffices. 

Theorem 1. Let II = (G,E,D) be a wnm-cpa-secrtre encryption scheme, with 
a domain that includes the integer range [0, U] where U is polynomially hounded 
by k. Then a contract bidding system CBS with bidding upper bound U and 
encryption scheme II is secure. 

The proof of this result is in Appendix A. 2. We mention that our result only ap- 
plies to the case of a single auction, and specifically does not claim that repeated 
auctions will be secure if they use the same encryption scheme. Obviously, for 
repeated auctions to be secure, we would need some kind of cca2 security for our 
encryption scheme. 

We also mention that the result does not apply to contract bidding schemes 
with multiple bidders that may collude. Intuitively, this is because they may each 
make guesses which cover the possible choices of the honest bidder, and a wrong 
guess for one party does not reduce the award of the party that guesses correctly. 
To solve the problem with multiple bidders using a wnm-secure cryptosystem, 
one could either allow randomization in the bids (e.g., each bid would be of the 
form (bid,r), where r {0, 1}^, which would ensure that the adversary has a 
negligible chance of guessing the full plaintext), or one could change the model 
to levy penalties for invalid bids. 



4 Tag-Based Non- malleability 

In this section, we introduce tag-based non-malleability as an alternative to 
standard non-malleability. Informally, in a tag-based encryption system, the en- 
cryption and decryption operations take an additional “tag.” A tag is simply 
a binary string of appropriate length (i.e., its length has to be polynomially 
bounded by the security parameter), and need not have any particular inter- 
nal structure. We define security for tag-based encryption in manners analogous 
to security for standard encryption systems. In particular, we define tag-based 
non-malleability (Definition 5) and tag-based indistinguishability (Definition 6) 
with respect to cpa, ccal, and cca2 attacks. The only changes we make to the 
definitions for standard encryption are: (i) in a cca2 attack, instead of requiring 
that the adversary A not query the decryption oracle with the ciphertext y that 
A receives as a challenge, we require that A not query the decryption oracle 
with a (ciphertext, tag) pair using the same tag with which y was encrypted; 
(ii) for tag-based non-malleability, instead of requiring that A 2 not output the 
ciphertext y it receives, we require that A 2 not output any (ciphertext, tag) pair 
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for decryption using the tag with which y was encrypted. Informally, one simply 
changes the “equality of two ciphertexts” in the standard definitions to “equality 
of the tags of two ciphertexts,” and we have a tag-based definition. 



4.1 Definition 

Tag-based encryption schemes A tag-based encryption scheme 77 is a triple 
(G, 77, D) of algorithms, the first two being probabilistic, and all running in 
expected polynomial time. G takes as input and outputs a public key pair 
(pfc, sk), i.e., {pk, sk) G(l^). E takes a public key pk, a message m, and a tag 
t as input and outputs an encryption c for m associated with t; we denote this 
c ^ Epk{m, t). D takes a private key sk, a ciphertext c, and a tag t as input and 
returns either a message m such that c is a valid encryption of m associated with 
t, if such an m exists, and otherwise returns _L; we denote this m •<— Dak{c, t). 

Definition 5 (tnm-cpa, tnm-ccal, tnm-cca2). Let 77 = (G,E,D) be an en- 
cryption scheme, let R be a relation, let A = (Ai,A 2 ) be an adversary, 
and let S = (5i,52) be an algorithm (the “simulator”). For fc G N define 

7) = Pr[Expt^"^-=*^(7?, 7) = 1] - Pr[Exp4"'Jf=*^(7?, 7) = 1], where 



Expt"(7?,7) : 


Expt"(77,7) : 


(p7,s7)^G(l'=) 


{pk,8k)^G{A) 


{M,t, 81,82) -s- Af^(p7) 


{M,t, 81,82) ^Si{pk) 


a; M 


a: M 


y-<^Epk{x,t) 

(y,t) ^ 


(y,t) ^52(s2,t) 


Dsfc(y,t) 


x-s- Dak{y,t) 


Return 1 iff (t 0 t) A R[x, x, M, si) 


Return 1 iff R{x, x, M, 81) 



We require that O 2 not be queried with the t given to A 2 - We say that 77 is 
secure in the sense o/tnm-atk if for every polynomial q{k), every R computable 
in time q{k), and every A that runs in time q{k) and outputs a valid message 
space M samplable in time q{k), there exists a polynomial-time algorithm S such 
that AdAf^A^^{R,k) is negligible. 



Definition 6 (tind-cpa,tind-ccal,tind-cca 2 ). Let 77 = (G,E,D) be a tag-based 
encryption scheme, and let A = (^ 1 ,^ 2 ) be an adversary. For 7 S N define 

Adv^"'^^*'^(7) '=^ 2 • Pr[Expt|^‘^j*''(7) = 1] — 1 where 

Expt7--(7) : 

{pk,sk)^G{A) 

(xo,xi,t,s) ■«- A°^(pk) 

6 A {0,1} 

y -s- Epk{xb,t) 

b' ^ Af^{xo,xi,t,s,y) 

Return 1 iS b = b' 
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We require that |xo| = \x\\, and that O2 is not queried with tag t. We say that U 
is secure in the sense o/tind-atk if for every polynomial q{k) and every adversary 
A that runs in time q{k), is negligible. 

Theorem 2 (tnm-atk tind-atk). If an encryption scheme is tnm-atk- secure, 
then it is tind-atk-secwre, for atk G {cpa, ccal, cca 2 }. 



4.2 Constructions 

We give two constructions of tag-based encryption schemes, both achieving tnm- 
cca2-security. The first one is based one-way trapdoor permutations in the ran- 
dom oracle model. It is similar to the semantically secure (ind-cpa) encryption 
scheme from Bellare and Rogaway [2], but enjoys a higher level of security. The 
second is a modification of the Cramer-Shoup scheme [8,9], but simpler. 

Construction 2 Let G* be a trapdoor permutation generator. Let X be a finite 
group and H : {0, 1}* X a hash function. We construct an encryption scheme 
as follows. G runs G* to get (f,f~^,d), and sets pk = <f,d>, and sk = f~^. 
All messages are restricted to be elements in X. To encrypt a message m with 
tag t, Epk{m) generates r^d(l^) and returns <f{r),H{r,f) ■ m>, where 
is the group operation in X. To decrypt a ciphertext c = {a,j 3 ), Dsk{c) returns 
m = /?• (i 7 (/-i(a),t)-i). 



Lemma 7. Let H be a random oracle. If f is a trapdoor permutation, then the 
scheme in Construction 2 is tnm-cca2- secure. 

The intuition behind the proof of Lemma 7 is that the simulator can simulate 
the decryption oracles using the knowledge of the random oracle queries, and 
the fact that the adversary cannot make an 02{-) query with the same tag as in 
the challenge encryption. Details will be given in the full version. 

Construction 3 Let Gq be a finite group in which the DDH assumption holds."^ 
We define an encryption scheme as follows. 

Gcs{Gq). Let g be the generator of Gq (included in the description of Gq). 
Generate 32 Gq and a, b, c,d,e-^ hq, and set U ^ g°‘{g2)^ , V ^ g‘^{g2Y , 
and W <—(7®. Let the public key be <g, g2,U,V,W> and the secret key be 
<a, b, c, d, e>. 

Ei<g,g2,u,v,w>(jn,t): Generate r-f^Zq and x g'' , y {g2Y , w and 

v . Return <x,y,w,v> as the ciphertext. 

D<a,b,c,d,e>{<x,y,w,v>,t): // u yf , rctum -L, else return w / x’^ . 

^ Note that one possible group Gq may be found by generating a large prime p such 
that q divides p — 1, and letting Gq be the subgroup of order q in Zp. 
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Informally, our construction removes the collision-resistant hash function 
from the original Cramer-Shoup construction, and replaces the hash value 
a = H{x,y,w) by the tag t.® 

Lemma 8. The encryption scheme in Construction 3 is tnm-cca2-secure. 

The proof of this lemma almost directly follows the proof of security for the 
original Cramer-Shoup construction; we omit it here. 



4.3 Applications 

Intuitively, tag-based encryption schemes (and in particular, tnm schemes) are 
useful in systems that already have authentication, i.e., in systems where Bob 
cannot impersonate Alice and send messages using Alice’s identity. We stress 
that even with authentication, we still need non-malleability. For example, in 
the contract-bidding scenario in both [11] and the previous section, we still need 
to make sure that Bob cannot underbid Alice by mauling her message. With 
a tnm system, we can use the sender’s identity as the tag to achieve this goal. 
Suppose Alice sends a encrypted message c = Alice) to Charlie. A ma- 

licious Bob may be able to maul c into another ciphertext with the same tag, 
i.e., Alice — this is allowed in the definition — but this would not be useful for 
him since he cannot fake Alice’s identity. Bob needs to produce some message 
with the tag Bob, but tnm stipulates that Bob will not have any advantage in 
doing so. To demonstrate this, we show how to use a tnm-cca2 scheme (in fact, a 
tind-cca2 scheme) to construct a protocol that realizes the secure message trans- 
mission functionality in the iFAUTH-hybrid model, in the universal composability 
framework. Previously, this was done using an ind-cca2 encryption scheme [5]. 



Universal-composability framework. The universal composability frame- 
work was proposed by Canetti [5] for defining the security and composition 
of protocols. To define security one first specifies an ideal functionality using 
a trusted party that describes the desired behavior of the protocol. Then one 
proves that a particular protocol operating in a real-life model securely realizes 
this ideal functionality. Here we briefly summarize the framework. 

A (real-life) protocol tt is defined as a set of n interactive Turing Machines 
Fi, . . . , P„, designating the n parties in the protocol. It operates in the presence 
of an environment Z and an adversary A, both of which are also modeled as 
interactive Turing Machines. The environment Z provides inputs and receives 
outputs from honest parties, and may communicate with A. A controls (and 
may view) all communication between the parties. (Note that this models asyn- 
chronous communication on open point-to-point channels.) We will assume that 
messages are authenticated, and thus A may not insert or modify messages be- 
tween honest parties. (This feature could be added to an unauthenticated model 

® We assume that t ^ Zq. Otherwise, we would need a collision-resistant hash function 
to hash the tag. 
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using a message authentication functionality as described in [5].) A also may 
corrupt parties, in which case it obtains the internal state of the party. 

The ideal process with respect to a functionality is defined for n parties 
Pi, . . . , Pn, an environment Z, and an (ideal-process) adversary S. However, 
Pi, . . . , P„ are now dummy parties that simply forward (over secure channels) 
inputs received from Z to P, and forward (again over secure channels) outputs 
received from T to Z. Thus the ideal process is a trivially secure protocol with 
the input-output behavior of T . 



UC secure message transmission. The functionality IFm-smt is given in 
Figure 1. Intuitively, this functionality allows multiple parties to send messages 
securely to a single receiver. Both the secrecy and the integrity of the messages 
are guaranteed. See [5] for more discussions. 



.Fm-smt proceeds as follows, running with parties P\, . . . ,Pn, and an adversary A: 

— In the first activation, expect to receive a value (receiver, id) from some party 
Pi. Then send (receiver, id. Pi) to the all parties and the adversary. ,^From 
now on, ignore all (receiver, id) values. 

— Upon receiving a value (send, id, m) from some party Pj, send (id,Pj,m) to 
Pi and (id, Pj, |m|) to the adversary. 



Fig. 1. Functionality Pm-smt 



Canetti [5] constructed a protocol that securely realizes this functionality in 
the (PautH) iFpKE (-hybrid model. He also showed that any ind-cca2 encryption 
scheme can securely realize the .Ppke functionality. Therefore, one can construct 
a protocol using an ind-cca2 encryption scheme to securely realize IPm-smt in 
the pAUTH-hybrid model. Here, we show that one can instead use a tag-based 
tind-cca2 encryption scheme. 

Given a tind-cca2 encryption scheme II = (G,E,D), the protocol a runs as 
follows. In this description, we include the identity of the receiver in the ses- 
sion identifier, (i) When a party Pi receives an input (receiver, i(i|Pi), it runs 
{pk,sk) ^ G{1^), and sends {key ,id\Pi,pk) to all other parties using Pauth- 
Any messages of this type with an identifier not in the correct format are ig- 
nored. (ii) On receiving the first message {PiiPj, (key, id|Pp,pfc')) from Pauth, 
Pj records {Pi/ ,id,pk') and outputs (receiver, zd|Pj/, Pp). Any messages of this 
type with an identifier not in the correct format are ignored. Subsequent mes- 
sages of this type with identifier id\Pi> are ignored, (iii) After this, when Pj re- 
ceives an input (send, fd|Pp, m), Pj runs c Epi^i{m, Pj), and invokes Pauth 
to send (msg, id\Pi/,c) to Pp. (iv) On receiving a message {Pj,Pi, (msg, id\Pi, c)) 
from Pauth, Pi runs m Dsk{c, Pj) and if m yf T, outputs {id\Pi, Pj,m). Intu- 
itively, the protocol uses the identity of the senders as the tag for the encryption. 
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Theorem 3. The protocol a securely realizes the SMT functionality in the 
•?^AUTH hybrid model, assuming static corruptions. 

The proof of Theorem 3 is in Appendix A. 3. 

4.4 Relation to Standard Definitions 

We study the relation between the tag-based definitions and the standard ones. 
First, we note that they are not directly comparable, due to the structural dif- 
ference in encryption and decryption. However, given a standard encryption 
scheme II = (G,E,D), it is straightforward to construct a tag-based scheme 
n' = {G',E',D') with the same security as follows. G' is the same as G; 
E'pk{m,t) calls Epk{m o t), where x o y denotes a canonical encoding of the 
concatenation of two binary strings that can be uniquely parsed; t) calls 

(m, t') ^ Dsk{c) to and returns m ii t = t' and _L otherwise. It is easy to check 
that n' enjoys the same level of security (in the sense of Definition 5) as II (in 
the sense of Definition 1). 

Interestingly, the other direction also holds: given a tag-based scheme, one 
can construct a standard scheme, using a strong one-time signature scheme [20]. 

Construction 4 Let II = (G,E,D) be a tag-based encryption scheme. Let 
SIG = (sig_gen, sig_sign, sig_verify) be a strong one-time signature scheme. We 
construct a standard scheme U' = {G',E',D') as follows. G' = G. To encrypt 
massage m using pk, generate a signing /verification key pair (sig_vk, sig_sk) <— 
sig_gen(l*); encrypt m using sig_vk as the tag, i.e., c ^ ifpfc(TO, sig_vk); sign c 
using sig_sk, i.e., s ^ sig_sign(sfc, c); and output (sig_vk, c, s) as the encryption. 
To decrypt a ciphertext (sig_vk, c, s), verify that s is a valid signature of c with 
respect to sig_vk; if not, output _L; if so, return Dsfc(c, sig_vk). 



Theorem 4. For atk G {cpa, ccal, cca2}.- if II is tnm-atk secure, then TT is 
snm-atk secure; and if IT is tind-atk secure, then II' is ind-atk secure. 

The proof of this result will be given in the full version. 

Construction 4 is essentially the construction first shown in [11] and later 
used in [20,10,17,6] to obtain non-malleable encryption schemes, except that we 
explicitly separate the underlying tag-based scheme from the “wrapper” that 
uses the one-time signature scheme. Thus, in each of these papers, there is an 
implicit tag-based non-malleable encryption scheme.® We illustrate this with 
the scheme of Lindell [17], which we denote as 77^. In 11 an encryption of 
message m is a tuple <co,ci,pfcQ,pfc]^,r, sig_vk, cr, s>. Here cq and c\ are two 
encryptions of m using two ind-cpa systems with public keys pkg and pk^, re- 
spectively; sig_vk is a “fresh” verification key of a strong one-time signature 

® In the (independent and concurrent) result of [6], there is actually an explicit identity- 
based encryption (IBE) scheme which corresponds to our tag-based non-malleable 
encryption scheme. They essentially prove the cca2 case of Theorem 4. (Note: their 
cpa-secure IBE scheme corresponds to our cca2-secure tnm scheme.) 
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scheme; r is a random string; cr is an NIZK proof that either cq and ci are 
the encryption of the same message, or r is the commitment of sig_vk; s is a 
signature of the tuple <Cq, Ci,pfcQ,pfc]^,sig_vk, r, a>. Then in the underlying tag- 
based encryption scheme II , an encryption of message m with tag t is the tuple 
<co,ci,pkQ,pki,r,t,a>, where cq, ci, pk^, pki, and r are all the same as be- 
fore, and a becomes an NIZK proof that either cq and ci are the encryptions 
of the same message, or r is the commitment of t. It is easy to verify that II 
is tnm-cca2-secure. In fact, one can prove the security for II almost exactly the 
same way as for the security proof oi II l, observing that the use of the strong 
one-time signature in 77^ is solely for enforcing that an adversary will not make 
a query to the decryption oracle with a ciphertext having the same verification 
key. Since in the tag-based system 7T, the verification key is replaced by the tag, 
by definition, the adversary cannot query the decryption oracle with a ciphertext 
having the same tag. So in fact the proof for the security of U is even simpler 
than the proof for for 77^. Furthermore, 77^ is exactly the transformed version 
of protocol 77 under Construction 4. Therefore, one could obtain an alternative 
proof of security for 77^ by pluggin 77 into Theorem 4. 

In the full version of this paper, we will show that many known relations 
between standard security definitions translate to analogous relations between 
tag-based definitions. 
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A Proofs 

A.l Proof of Lemma 6 

We prove the lemma for atk = ccal, which will imply the case atk = cpa. We 
use the notation of Definition 2 and Construction 1. 

For an adversary A = {Ai,A 2 ), we construct simulators S = {Si,S 2 ) as 
follows. The simulator 5i runs A\ and simulates both the random oracle H{-) 
and the decryption oracle in a quite standard way. More specifically, 5i 
maintains a “query list” L consisting of pairs such that = t. L 

is initially 0. When Ai makes a query r to H, 5i checks if (/(r),t) G L for some 
t, and replies with t if so; otherwise, 5i picks a random X, adds (/(r),t) 
to L, and replies with t. When A\ makes a query y = (a,/3) to Dgk, S\ checks 
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if (a,t) G L for some t, and replies with tp{P ■ t~^) if so; otherwise, 5 i picks a 
random X, adds (a,t) to L, and replies with • t~^). Finally, when A\ 
outputs (M, si,s2)j outputs (M, si, (s2, F))- 

Upon invocation, the simulator S2, generates r ^ f{r), ( 3 -^X, 

y -fr- (a,P). Then S2 invokes A2 with parameters (s2,y), and simulates the ran- 
dom oracle for A2 in the same way as 5 i does for Ai, using the list L passed 
from 5 i. When A2 outputs ^2(52, 2 /), ^2 aborts if y G y. Otherwise, we 
assume that y = (yi, ^2, 2 /t), where yi = (a*, A) for i = 1 , 2 , S2 gen- 
erates z as follows. For each i, if ai yf a, then set Zi •«— _L; otherwise compute 
f3i- compute its soft spot Xi ^ ss(Ai), and then set Zj ^ Xi. Finally 

S2 sets z = (zi, zi, ..., zi), and outputs (y, z). 

Next, we prove that 5 is a valid simulator, i.e., that Pr[Expt™J} 

1 ] - Pr[Expt^"j?-‘' {R, k) = 1 ] is negligible in k. In order to do so, we intro- 
duce a new experiment called Mix. Informally, Mix™^”^*'(i?, A:) is the same as 
Expt™^ fc), except using the simulator S to simulator the random oracle 

and the decryption. Now let pMix and ps be the probabilities of success in the 
real, Mix, and ideal experiments, respectively. We shall prove that both pMix 
and pMix ~ Ps are negligible k, and the lemma will follow directly. 

To see that p^ — pMix is negligible, note that the simulation of the random 
oracle and decryption in Mix will be valid except in the case where Ai has queried 
H with r or D^k with {a, ( 3 ') for some ( 3 '. Since r and a are chosen randomly 
after A\ is executed, the probability of this is obviously negligible. 

To see that pMix — Ps is negligible, note that the two experiments only differ 
when A2 queries H{r), and the probability of this is negligible by the security 
of /. (Using unique identifiability and by viewing random oracle queries, ^2 is 
able to simulate the decryption exactly.) 

Details will be provided in the full version of the paper. 

A. 2 Proof of Theorem 1 

First the intuition. If CBS were not secure, then there would be an adversary 
A that breaks it, meaning that for some fair Award, no simulator could achieve 
an expected award negligibly less than A. But we will construct an adversary 
B for n out of A, and by the wnm-security of II, there is a simulator S' that 
approximates B for any relation. Then we will use S' to build a simulator S 
for CBS that does achieve an expected award negligibly less than A, which is a 
contradiction. 

Now the details. Assume CBS is not secure. Then for some q(k) there exists an 
adversary A that runs in time q(k) and such that for every simulator S, there ex- 
ists a non-negligible r(k) and an infinite number of k’s in which (k)> 

r(k). Let Edge_^5 CBs(^:c) Pr[Expt(|^^Bs(fc) > c] - Pr[Expt;^®^'Bs(A;) > c]. 
Then using the definition of expectation, there is a c such that for an infinite 
number of k’s, Edge_4 ^ cbs(^u) > r{k)/U. Without loss of generality, we may 
assume that A2 never outputs ebidp, since by the fairness of the Award function, 
this cannot increase its advantage. 
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Define relation Rc{x,:x., M, si) to return 1 iff |x| = 1 and Award (x,x[0])[l] > 
c. Consider the following adversary B for the wnm-cpa-security of II. 



Biipk) : 


B 2 {s,y) : 


{M,s)^Ai{pk,U) 


ebidi A2{y, s) 


return (M, T, s) 


return ebidi 



Since II is wnm-cpa-secure, there exists a simulator S' = (5(,52) such that 
Adv™^, k) is negligible for all c. Because Rc{x, x, M, si) returns 1 only if 
|x| = 1, we assume without loss of generality that 5^ returns one-element vectors 
y and z, i.e., values y and Now let a simulator S" = (5", S2) for the contract 
bidding system be defined as follows. 



5 ('(t/): 


sns)-- 


(pfe,sfe)^G(U) 




(M, si, S2) -s- S[{pk) 


(j/) A ‘^^(■s) 


return (M, S2) 


return Dak{y) 



Note that by the fairness of Award, the award can never decrease when bidi 
is changed from _L to a valid bid, and so it is easy to see that Pr[Expt5^',-g5 (fc)> 
c] > Pr[Expt™T7^*''(i?c, = !]• Using this fact, one can see that for all c, 

Edge_4 5// Cg5(fc, c) < Advg"^,”^^(i?c, fc), and thus by the discussion above, for 
all c, Edge_4 Cg5(A:, c) is negligible. This is a contradiction, so CBS must be 
secure. 

A. 3 Proof of Theorem 3 

Let A be an adversary that interacts with parties running a in the .T^AUTH-hybrid 
model. We will construct an adversary S in the ideal process for .T^m-smt such 
that no environment Z can distinguish whether it is interacting with A and cr 
in the iFAUTH-hybrid model, or with S and IFm-smt in the ideal process. For 
simplicity, we assume there exists only one instance of IFm-smt with identi- 
fier id\Pi for some Pi. It is straightforward to extend the behavior of S to the 
case of multiple instances. S runs a simulated copy of A and maintains a tuple 
{pk* , s/c*, owner), where pk* is the “session public key”, sk* is the corresponding 
secret key, and owner is the index of the party who “owns” it. The session key 
pair {pk* , sk*) is initialized to T. Then S forwards messages from Z to A, as well 
as messages from A to Z. Furthermore, S also sees the public part (also known 
as “header” [7]) of all the messages from uncorrupted parties to .T^m-smt and 
may decide when and if to forward these messages. We refer the readers to [7] 
for more detailed discussions. In the case of .T^m-smt, all messages to .T^m-smt 
are public, except the “payload message” m in (send, id, m). S also simulates 
the ideal functionality IFauth- 

Next, we describe the behavior of S in more detail. Note that S simulates 
IFauth as normal except as detailed below. 

Since we assume there is only one instance of .Tai-smt ideal functionality, there is 
only one instance of protocol a, and thus there is only one key. Also, in the case of 
identifier id\Pi, owner = i. 
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Simulating Communication with Z-. S directly forwards any messages be- 
tween Z and A. 

Key Generation: If Pi is uncorrupted and S sees a message (receiver, 

from Pi to i^M-SMT, S forwards this message to ^Fm-smt- If pk* yf 
_L it does nothing else. Otherwise S generates {pk, sk) ^ sets 

{pk* , sk*) <— {pk, sk), and owners— z, and simulates JFauth to send 
{key, id\ Pi, pk) to all other parties. 

If Pi is corrupted and S sees Pi send a message {key ,id\Pi,pk) to .T^auth, 
S simulates ^Fauth- Furthermore, if pk* = _L and pk yf _L, then S sends 
message (receiver, id) to ^Fm-smt on behalf of Pi and sets owner i and 
{pk* ,sk*) ^ {pk, ?). Here “sk* =?” indicates that S does not know the cor- 
responding secret key. 

Delivery of the public key: When A delivers a message {Pi, Pj, {key, 
id\Pi,pk)) from JFauth to an uncorrupted party Pj that has not received 
such a message previously, S records the tuple {Pj,{Pi,pk)) and delivers 
(receiver, zd|Fj, Pi) from Pm-smt to Pj. 

Message transfer from an uncorrupted party: If S sees an uncorrupted 
party Pj send a message (send, id|Pi, — ) to .Pm-smtj where ” indicates 
the “private” part of the message that S does not see, and if S has stored a 
tuple (Pi, {Pj,pk')), S does the following. First S forwards the send message 
to .Pm-smt, and receives the length Next, if Pi is corrupted, then S receives 
the message {id, m. Pi) from Pm-smt to the ideal Pi, sets c ^ Epy{m, Pi). If 
Pi is uncorrupted, then S sets Ppfc*(0*,Pi). Finally, S simulates .Pauth 
to send (zd|Pi,c) to Pi. 

Message transfer from a corrupted party: If S sees a corrupted party Pj 
(controlled by A) send message (zd|Pi,c) to Pi through Pauth, we may 
assume that Pi is uncorrupted, since otherwise S does not need to do any- 
thing. In this case, S sets Dgk*{c,Pj) and if to yf _L, sends message 
(send, id, m) to Pm-smt, forwarding the message {id, Pj,m) to the ideal Pi 
when A forwards the corresponding message to Pi from Pauth- 



Now we show that if any Z can distinguish whether it is interacting with A 
and (7 in the pAUTH-hybrid model, or with S and Pm-smt in the ideal process, 
then this can be used to construct an adversary B = {Bi,B 2 ) that breaks the 
tind-cca2-security of n . 

Intuitively, this is true because the only possible difference between the ideal 
process and the real world is in the case when an uncorrupted party Pj sends 
a message to to another uncorrupted party Pi. In the real world, an encryption 
of TO is sent through Pauth; in the ideal process, S simulates this message 
using a encryption of 0^, since S does not know to. Notice that the tag for this 
encryption is always Pj, the identity of an uncorrupted party. S also performs 
decryptions, but only for messages from corrupted parties. Therefore, S only 
decrypts messages with corrupted parties’ identities as tags, and in particular, 
no ciphertexts with tag Pj are decrypted by S. Then, by the tind-cca2-security 
of n , the simulation of S is indistinguishable from the real world. 
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We now describe the proof more formally. B takes a public key pk and de- 
cryption oracle, plays the role of IFm-smt and runs S with the following changes. 
Assume that I messages are sent using .^m— smt- Bi choose h {I, . . . ,1}. If an 
uncorrupted party Pi needs to generate a key pair, pk is used as the public key. 
Let id\Pi be the associated identifier. Then for the first h — 1 messages to Pi 
with id from uncorrupted parties, B has S encrypt the actual messages, instead 
of the all zeros message. On the hth message to Pi with id\Pi, say from an un- 
corrupted Pj, Bi outputs the all zeros message, the real message, the tag Pj, 
and its internal state. Then B 2 uses the challenge ciphertext in the message to 
Pi, and continues to run S as normal, encrypting all zeros messages again. Bi 
and B 2 both call the decryption oracle on messages to Pi from a corrupted Pj. 
Note that the tag in this case is always different from the tag returned by Bi. 
Finally, B 2 outputs whatever Z outputs. Note that if h = 0 and the bit chosen 
in the tind-cca2 experiment is 0, B runs like S, and if h = £ and the bit chosen 
in the tind-cca2 experiment is 1, B runs like A in the real protocol. Then by a 
standard hybrid argument, if Z distinguishes whether it is interacting with A 
and a in the iFAUTH-hybrid model, or with S and IFm-smt in the ideal process, 
B breaks the tind-cca2-security of II. 




A Note on Constant-Round 
Zero-Knowledge Proofs for NP 



Alon Rosen 

Laboratory for Computer Science. 
Massachusetts Institute of Technology. 

200 Tech. Square, Cambridge, MA 02139 USA** 
alonSlcs .mit . edu 



Abstract. We consider the problem of constructing a constant-round 
zero-knowledge proof system for all languages in MV. This problem has 
been previously addressed by Goldreich and Kahan (Jour, of Cryptology, 
1996). Following recent works on concurrent zero-knowledge, we propose 
an alternative solution that admits a considerably simpler analysis. 



Zero-knowledge {ZJC) protocols require no introduction. Since their conceptual- 
ization [10], they have become a widely used tool in the design and realization of 
many cryptographic tasks. The notion of zero-knowledge owes much of its wide 
applicability to its generality, and specifically, to the fact that every language in 
AfP can be proved in ZfC [11]. 

In this paper we consider the basic task of constructing a constant-round 
zero-knowledge interactive proof system for all languages in AfV (with negligible 
error). Recall that an interactive proof system is required to protect the honest 
verifier from an all powerful prover that is trying to convince him of the validity 
of a false assertion. This should be contrasted with the case of an interactive 
argument system (cf. [3]), in which the soundness property is required to hold 
only w.r.t. computationally bounded provers. 

Our goal is to design a “natural” protocol whose zero-knowledge property is 
demonstrated in as a simple as possible manner. This would be in contrast to 
previous solutions, which invloved a fairly complicated analysis (cf. Goldreich, 
Kahan [7]). Our solution is inspired by a new ZIC protocol by Prabhakaran, 
Rosen and Sahai [18], originally introduced in the context of concurrent Zero- 
Knowledge. Constant-round, negligible-error, ZIC proofs for AfV are a funda- 
mental and widely used cryptographic tool. Needless to say that a simple con- 
struction/analysis of such proofs would be most desirable. 

1 Constructing a Constant-Round ZK Proof for AfT* 

We assume familiarity with the concepts of Interactive Proofs, Zero-Knowledge 
and Bit Commitment (see Appendix for the actual definitions) [10,11,15,6]. The 

** Part of this work done while at the Weizmann Institute of Science, Israel. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 191-202, 2004. 
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“typical” construction for a constant round interactive proof for any language 
in J\fV would use a protocol of the following sort as a building-block (here we 
use a protocol for the AfP-complete language of Hamiltonicity [2])d 



Common Input: A directed graph G = (V, E) with n “ |C| . 

Auxiliary Input to Prover: A directed Hamiltonian Cycle, C C -E, in G. 

(pi): Pick a random permutation tt of the vertices V and commit (nsing a 
perfectly binding commitment) to the adjacency matrix of the resulting per- 
muted graph. That is, send an n-by-n matrix of commitments so that the 
(7r(i), 7 t(j))**' entry is a commitment to 1 if {i,j) £ E, and is a commitment 
to 0 otherwise. 

(vl): Send a randomly chosen bit a £ {0, 1}. 

(p2): If (7 = 0, send rr to the verifier along with the revealing (i.e., preim- 
ages) of all commitments. Otherwise, reveal only the commitments to entries 
(7r(i), 7t(j)) with {i,j) £ G. In both cases also supply the corresponding de- 
commitments. 

(v2): If CT = 0, check that the revealed graph is indeed isomorphic, via tt, to G. 
Otherwise, just check that all revealed values are 1 and that the corresponding 
entries form a simple n-cycle. In both cases check that the decommitments 
are proper (i.e., that they ht the corresponding commitments). Accept if and 
only if the corresponding condition holds. 



Fig. 1. A 3-round interactive proof system for Hamiltonicity. 

It can be seen that the above protocol is both complete and sound (with 
soundness error 1/2). An additional “useful” property of the protocol (which is 
also satisfied by many other known protocols) is that if the prover knows the 
contents of verifier’s “challenge” message cr (sent in Step (vl)) prior to sending its 
own first message (sent in Step (pi)), then it is able to convince the verifier that 
G contains an Hamiltonian cycle even without knowing such a cycle (actually, 
it will convince the verifier even if G does not contain an Hamiltonian cycle). 

Specifically, knowing in advance that cr = 0, the prover will commit to the 
entries of the adjacency matrix of the permuted graph (in Step (pi)), thus being 
able to reveal a permutation tt and the preimages of all commitments in Step 
(p2). On the other hand, knowing in advance that cr = 1, the prover will commit 
to the full graph AT„, thus being able to open an arbitrary cycle in the supposedly 
permuted graph. 

The above “useful” property is sufficient in order to prove that the above 
protocol is black-box zero-knowledge. All that the simulator has to do is to try 
and “guess” the value of cr prior to determining the value of the prover’s first 
message (and keep trying until it succeeds). Using the computational-hiding 
property of the prover’s commitment in Step (pi) we would then have that no 

^ The choice of the Hamiltonicity protocol (due to Blum) as a building block is arbi- 
trary (and is made just for clarity of presentation). In fact, any protocol with similar 
properties (such as the 3-coloring protocol of Goldreich, Micali and Wigderson [11]) 
could have been used. 
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matter what an adversary verifier V* does, the simulator is expected to guess 
cr’s value in a constant number of attempts. 

To obtain a useful protocol, however, one must make sure that whenever 
the statement proved is false, V accepts only with small probability (rather 
than 1/2). To achieve this, the protocol described above is repeated many (say, n) 
times independently. V accepts if and only if it has accepted in all n repetitions. 
The probability of having V accept a false statement is now reduced to 1/2” 
(by the independence of the repetitions). To save on the number of rounds, the 
repetitions are conducted in parallel (rather than sequentially). 

Unfortunately, repeating the protocol many times in parallel brings up the 
following difficulty. Whereas in the case of a single execution, the probability 
that the ZIC simulator “guesses” the value of a correctly is at least 1/2, the 
probability that he does so simultaneously for all n repetitions is 1/2". For 
large n, this probability will be very small and might cause the simulator to 
run for too long. Thus, it is not clear that the ZIC property of the protocol is 
preserved. Indeed, the above protocol cannot be proved to be ZK. using black-box 
simulation (unless AfP C BPP) [8].^ 



The Goldreich-Kahan Analysis [7]. To overcome the above problem, an 
additional (VO) message is added at the beginning of the protocol, in which the 
verifier commits to all n “challenge” bits prior to receiving (pi). The verifier 
then decommits to all challenge bits in message (vl). The secrecy property of 
the commitment used in (VO) should then guarantee that the soundness of the 
protocol is preserved. 

At this point, it seems that all that the simulator has to do after obtaining 
U*’s commitments in message (VO) is to feed V* with a “dummy” (pi) and then 
obtain decommittment to all challenge bits in message (vl). Knowing the chal- 
lenge bits, the simulator would then “rewind” the interaction with V* and resend 
a modified (pi) that would convince the verifier of the validity of the assertion 
(this is possible due to the “useful” property of the underlying protocol). 

Unfortunately, V* may arbitrarily deviate from the prescribed strategy. In 
particular, it may be the case that throughout its interaction with the prover 
(simulator), V* occasionally sends an ABORT message (that is, V* may potentially 
refuse to decommit to any of the previous commitments). Clearly, such an action 
on behalf of the verifier is considered illegal, and the interaction stops. 

Having V* refuse to decommit may seem as good news (since, once this 
happens, the simulator does not really need to do anything). The problem is that 
V* does not always refuse to decommit (but may refuse with some probability 
0 < p < 1, which is not known in advance by the simulator). Thus, the simulator 
may find himself in a situation in which the first run is answered with ABORT 

^ A recent result by Barak [1] suggests that black-box lower bounds should not be 
interpreted as impossibility results about ZK,, but rather as limitations of the black- 
box simulation as a technique for proving the ZK property of protocols. It should 
be noted, however, that Barak’s protocol are only known to apply to certain kinds 
of argument systems (rather than proof systems). 
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whereas the second run is “properly answered”. This means that the simulator 
has not managed to obtain the “challenge” bits in the first run, and it thus fails 
to complete its task. 

One naive solution would be to let the simulator always output the run 
in which V* has refused to decommit. The problem with this solution is that 
it “skews” the distribution of transcripts outputted by the simulator towards 
transcripts that contain ill-formed messages. 

Goldreich and Kahan [7] suggested to let the simulator always decide whether 
to output an aborted run according to the outcome of the first run. Specifically, 
the simulator will rewind only if “answered properly” in the first run and will 
continue doing so (i.e., rewinding) until it obtains another “proper answer”. Un- 
fortunately, while this simulation strategy guarantees that the simulator’s output 
is correctly distributed, it also introduces technical difficulties. Loosely speaking, 
these difficulties arise from the fact that probability of V* refusing to decommit 
might differ between the case it is fed with a “dummy” commitment (in step 
(pi)) and the case it is fed with a “convincing” commitment. The solution to 
this problem is somewhat involved and requires having the simulator obtain an 
estimate on the probability of V* decommits properly when fed with a “con- 
vincing” commitment in step (pi). As we have said before, our goal is to obtain 
a simpler analysis (even at the cost of analyzing a slightly different protocol) . 

2 The New Protocol 

Consider the following protocol for Hamiltonicity (HC), which is a variant of 
the cZIC protocol by Prabhakaran, Rosen and Sahai [18] in which the preamble 
has only one iteration (rather than a super logarithmic number of iterations as 
in the PRS proocol).^ 

As shown in [18], the above protocol is both complete and sound (with negli- 
gible error). In particular, the construction above is an interactive proof system 
for HC. The following theorem states that it is also ZIC. 

Theorem 2.1 (Constant-round ZJC proof for AfV) Assume the existence 
of perfectly-hiding commitment schemes. Then, the protocol described in Fig- 
ure 2 is a ZK. proof system for TIC. 



2.1 Zero-Knowledge 

In order to demonstrate the ZIC property of the protocol, we will show that there 
exists a ’’universal” black-box simulator, S, so that for every G = {V,E) G HC 
and adversary verifier V* that runs in polynomial time (in n = |U|), S{G) runs 
in expected time poly(n), and satisfies that the ensemble {view ^.,{G)} g^hc is 
computationally indistinguishable from the ensemble {G)}GeHC- 

® A related approach has been previously used in order to construct constant-round 
perfect ZIC arguments for MV (see [5]). 




A Note on Constant-Round Zero-Knowledge Proofs for NP 



195 



Common Input: A directed graph G = (V, E) with n = \V\. 

Auxiliary Input to Prover: A directed Hamiltonian Cycle, C C -E, in G. 
Additional parameter: A snper-logarithmic function k{n). 

Stage 1: Commitment to challenge a G {0, 1}" (independent of common inpnt): 
(PI): Send first message for perfectly hiding commitment scheme. 

(VI): Commit to random o, {cr°}jLj, {cr^ s.t. cr° © (t^ = cr for all i. 

(P2): Send a random fe-bit string r — n, ... ,rk- 
(V2): Decommit to , • • • , . 

Stage 2: Engage in the 3-round protocol for HG (n parallel repetitions) nsing 
(T = cri, . . . , cr„ as challenge: 

(pi): Produce first prover message of HC protocol (as in (pi)). 

(vl): Decommit to a and to 

(p2): Answer o with second prover message oi HG protocol (as in (p2)). 

(v2): Accept if and only if all corresponding conditions hold (as in (v2)). 



Fig. 2. A new 7-round, negligible error, ZK, proof for Hamiltonicity. 

The Simulator. On input G = (V,E) with n = \V\, the simulator S starts 
by selecting and fixing a random tape s € {0, 1}p°K(«) fQj. y*^ then proceeds 
by exploring various prefixes of possible interactions between P and V* . This is 
done while having only black-box access to V*. It then acts as follows. 



Step (SI): Randomly generate (PI) and obtain (VI) = V*{G, (Pl);s). 

Step (S2): Randomly generate (P2) and obtain (V2) = V*{G, (PI), (P2);s). 

1. If (V2) / ABORT, proceed to Step (S3). 

2. If (V2) = ABORT, output ((PI), (VI), ABORT) and stop. 

Step (S3): For j = 1,2, . . . 

1. Randomly generate (P2)^ and obtain (V2)^. = V*{G, (PI), (P2)^.; s). 

2. If (V2)^. 7 ^ ABORT, proceed to Step (S4). 

3. If (V2)^. = ABORT continue, 
end (for) 

Step (S4): Let (P2) = ri,. . . ,rk be the prover message generated in Step (S2) of 
the simulation and let (P 2 )^ = r( . . . , r), be the last prover message generated in 
Step (S3): 

1. If (P2) = (P2)^ , output _L and stop. 

2. If (P2) 7 ^ (P2)^, there exists i G {1, . . . , fc} so that ri 7 ^ r(. Let a — aP 

3. Use a to produce an accepting transcript (pi), (vl), (p 2 ) for G G HG. 

4. Outpnt ((PI), (Vl), (P2), (V2), (pi), (vl), (p 2 )) and stop. 



Fig. 3. The black-box simulator S. 

Notice that simulator always picks the (P2)^ messages uniformly at random. 
Since the length of the (P2)’s is super-logarithmic, the probability that any two 
(PI) messages sent during the simulation are equal is negligible (see Section 2.1 
for further details). We note that in previous simulators (cf. [7,19,13,14]), the 
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values of the (Pj) messages depended on the values revealed by the verifier in the 
corresponding (V2) answers, and were not chosen uniformly and independently 
each time. This is the main reason in the complication of previous analysises of 
the simulator’s output distribution. 



The simulator’s running time. For any G € HC, for any choice of s and 
of (PI), let C = C(G, (Pl),s) denote the probability that the verifier V* does 
not send an ABORT message in message (V2). The probability ( is taken over 
the random choices of message (P2). (Or, in other words, over the coin-tosses 
used by the simulator to generate (P2) during the simulation (both in Steps (S2) 
and (S3).l).) 

Using this notation, the simulator proceeds to Step (S3) with probability ( 
and is then expected to reach Step (S4) after repeatedly rewinding in Step (S3).l 
for 1/C times (since the probability of successfully rewinding in each one of the 
rewinds is precisely C> independently of other rewinds). For i G {1,2, 3, 4}, let 
Pi{-) be a polynomial bound on the work required in order to perform Step (St) 
of the simulation (where in Step (S3), the value P 3 {-) represents the work of a 
single execution of Step (S3).l). The expected running time of the simulator is 
then: 

pi{n) -k (1 - C) -P 2 {n) -kC- (^P 2 {n) + ^ ■ Pain) + p4{n)^ 

< Piin)+P2{n) +P3in)+P4{n) 

= poly(n) 

Since the above holds for any choice of s and (PI), then it is also true for 
randomly chosen s and (PI) (and offcourse for any G G HG). We thus have. 

Proposition 2.2 The simulator S runs in expected polynomial-time [in |U|). 



The simulator’s output distribution. We now turn to show that for every 
G G HC, the simulator’s output distribution is computationally indistinguish- 
able from U*’s view of interactions with the honest prover P. Specifically, 

Proposition 2.3 Suppose that the commitment used in Step (pi) is computa- 
tionally hiding. Then, the ensemble {S''^ {G)}g&hc computationally indistin- 
guishable from the ensemble |view(). (G)}GeffC- 

Proof: As a hybrid experiment, consider what happens to the output distri- 
bution of the simulator S if we (slightly) modify its simulation strategy in the 
following way: Suppose that on input G = (U, E) G HC, the simulator S obtains 
a directed Hamiltonian Cycle G G E in G (as auxiliary input) and uses it in order 
to produce real prover messages whenever it reaches the second stage of the pro- 
tocol. Specifically, when it reaches the second stage, the hybrid simulator checks 
whether the original simulator S should output T (in which case it also does) . If 
S does not have to output T, the hybrid simulator follows the prescribed prover 
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strategy and generates prover messages for the corresponding second stage (by 
using the cycle it possesses rather than its prior knowledge of a) . We claim that 
the ensemble consisting of the resulting output (which we denote by {G, C)) 
is computationally indistinguishable from {5'^ {G)}g^hc- Namely, 

Claim 2.4 Suppose that the commitment used in Step (pi) is computationally 
hiding. Then, the ensemble {G)}g^hc is computationally indistinguishable 
from the ensemble {G,G)}g^hc- 

Proof Sketch: The claim is proved by reducing the proof to the indistinguisha- 
bility of Blum’s simulator’s output (that is, if the output of Blum’s simulator [2] 
is computationally indistinguishable from the view of real executions of the basic 
Hamiltonicity proof system, then {G)}aeHC £^nd {S^ (G, G)}g(=hc are in- 
distinguishable as well). The latter is proved to hold based on the computational- 
hiding property of the commitment scheme that is used by the prover in Step (pi) 
(see [2,6] for further details). Here we also use the extra property that the out- 
put of Blum’s simulator is indistinguishable from true interactions even if the 
distinguisher has a-priori knowledge of a Hamiltonian cycle G G E. | 

We next consider what happens to the output distribution of the hybrid sim- 
ulator S if we assume that it does not output T. It turns out that in such 
a case, the resulting output distribution is identical to the distribution of 
{view^.(G)}GeffC- Namely, 

Claim 2.5 The ensemble {5'^ {G,C)}g^hc conditioned on it not being T, is 
identically distributed to the ensemble {view]), (G)}Ger/C- 

Proof: Notice that the first stage messages that appear in the output of the 
“original” simulator (that is, S) are identically distributed to the first stage 
messages that are produced by an honest prover P (since they are uniformly and 
independently chosen). Since the first stage messages that appear in the output 
of the “modified” simulator (that is, S) are identical to the ones appearing in 
the output of S, we infer that they are identically distributed to the first stage 
messages that are produced by an honest prover P. Using the fact that the 
second stage messages that appear in the output of the “modified” simulator 
are (by definition) identically distributed to the second stage messages that are 
produced by an honest prover P, we infer that the ensemble (G, G)}g(=hc 
is identically distributed to {view]). (G)}Ger/C- I 

As we will show in Proposition 2.7 below, S outputs T only with negligi- 
ble probability. In particular, the ensemble {G,G)}g^hc is computation- 
ally indistinguishable from (and in fact statistically close to) the ensemble 
{S'^ {G,G)}g^hc, conditioned on it not being T. Namely, 

Claim 2.6 The ensemble {5''^ {G,G)}g^hc is computationally indistinguish- 
able from the ensemble {S''^ {G,G)}g^hc conditioned on it not being T. 




198 



A. Rosen 



As mentioned above, Claim 2.6 follows by establishing the following claim. 

Claim 2.7 For any G = (V, E) G HC, the probability that (G, C) = _L is 
negligible {in |C|). 

Proof: Let G G HC with n = \V\. We will show that for any choice of s G 
{0, l}P°b(") and (PI) the probability of S outputting _L (over random choices 
of (P2) = r G {0,1}^) is precisely 1/2^. Since k is super-logarithmic it will 
immediately follow that the probability that {G,C) = _L is negligible. Let 
V* = y*((Pl),s) denote the “residual” strategy of V* when ((Pl),s) are fixed 



(i.e.,U*(G,r)‘'=^V*(G, (Pl),r;s 


)), and let ^ be as in Section 2.1. We then have: 


PrJ§^*(G,G) = _L 






= PrJ,S^*(G,G) = _L 1 


S reaches (S3) • Pr^. S reaches (S3) 


(1) 


= PrJ,S^*(G,G) = _L 1 


S reaches (S3) • C, 




II 

“d 

■i 

to 

II 

to 

0^ 




(2) 



Now, since (P2) and (P2)j are uniformly and independently chosen in {0, 1}*, 

and since the number of r G {0, 1}^ for which V*{G,r) is not equal to ABORT is 
precisely 2^ • then it holds that Pr[(P2) = (P2)jj = 1/(2* • ^). Using Eq. 2 we 
infer that: 

Pr.p(G) = ±] = = T 

as required. | 

It can be seen that Claims 2.4, 2.5 and 2.6 imply Proposition 2.3. I 

Acknowledgements. I would like to thank Oded Goldreich, Yehuda Lindell 
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A Definitions 

A.l Basic Notation 

We let N denote the set of all integers. For any integer k £ N, denote by [k] 
the set {1,2,..., k}. For any x £ {0, 1}*, we let |x| denote the size of x (i.e., the 
number of bits used in order to write it). For two machines M, A, we let M^{x) 
denote the output of machine M on input x and given oracle access to A. The 
term negligible is used for denoting functions that are (asymptotically) smaller 
than one over any polynomial. More precisely, a function from non-negative 
integers to reals is called negligible if for every constant c > 0 and all sufficiently 
large n, it holds that v{n) < n“°. 
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A. 2 Interactive Proofs 

We use the standard definitions of interactive proofs (and interactive Turing 
machines) [10,6] and arguments (a.k.a computationally-sound proofs) [3]. Given 
a pair of interactive Turing machines, P and V, we denote by {P,V){x) the 
random variable representing the (local) output of V when interacting with 
machine P on common input x, when the random input to each machine is 
uniformly and independently chosen. 

Definition A.l (Interactive Proof System) A pair of interactive machines 
{P, V) is called an interactive proof system for a language L if machine V is 
polynomial-time and the following two conditions hold with respect to some neg- 
ligible function v{-): 

— Completeness: For every x € L, 

Pr [{P, V){x) = 1] > 1 — r'{\x\) 

— Soundness: For every x ^ L, and every interactive machine B, 

Pr[{B,V){x) = 1] < n{\x\) 

In case that the soundness condition is required to hold only with respect to a 
computationally hounded prover, {P, V) is called an interactive argument system. 



A. 3 Zero-Knowledge 

Loosely speaking, an interactive proof is said to be zero-knowledge (ZIC) if it 
yields nothing beyond the validity of the assertion being proved. This is formal- 
ized by requiring that the view of every probabilistic polynomial-time adversary 
V* interacting with the honest prover P can be simulated by a probabilistic 
polynomial-time machine Sy- (a.k.a. the simulator). The idea behind this defi- 
nition is that whatever V* might have learned from interacting with P, he could 
have actually learned by himself (by running the simulator S). The transcript 
of an interaction consists of the common input x, followed by the sequence of 
prover and verifier messages exchanged during the interaction. We denote by 
view]), (x) a random variable describing the content of the random tape of V* 
and the transcript of the interaction between P and V* (that is, all messages 
that V* sends and receives during the interaction with P, on common input x). 

Definition A. 2 (Zero-Knowledge) Let {P, V) he an interactive proof system 
for a language L. We say that {P, V) is zero-knowledge, if for every probabilistic 
polynomial-time interactive machine V* there exists a probabilistic polynomial- 
time algorithm Sy such that the ensembles {view]). (x)}a,gL and {S'v(x)}a,gL 
are computationally indistinguishable. 
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To make Definition A. 2 useful in the context of protocol composition, Goldre- 
ich and Oren [9] suggested to augment the definition so that the corresponding 
conditions hold also with respect to all 2 G {0, 1}*, where both V* and Sy* are 
allowed to obtain ^ as auxiliary input. Jumping ahead, we comment that in the 
context of black-box simulation,, the original definition implies the augmented 
one (i.e., any black-box 2/C protocol is also 2/C w.r.t. auxuliary inputs). Since in 
this work we only consider the notion of black-box 2/C, we may ignore the issue 
of auxiliary inputs while being guaranteed that all results hold with repsect to 
the augmented definition as well. 



A. 4 Black-Box Zero- Knowledge 

Loosely speaking, the definition of black-box zero-knowledge requires that there 
exists a “universal” simulator, S, so that for every x G L and every proba- 
bilistic polynomial-time adversary V*, the simulator S produces a distribution 
that is indistinguishable from view^.(a;) while using V* as an oracle (i.e., in 
a “black-box” manner) . Essentially, the definition of black-box simulation says 
that the black-box simulator mimics the interaction of the prover P with any 
polynomial-time verifier V* relative to any random input r it might choose. The 
simulator does so merely by using oracle calls to V*{x;r) (which specifies the 
next message that V* sends on input x and random input r). The simulation is 
indistinguishable from the true interaction even if the distinguisher (i.e., D) is 
given access to the oracle V*{x] r). For more details see Section 4. 5. 4. 2 of [6]. 

Definition A. 3 (Black-Box Zero-Knowledge) Let {P, V) he an interaetive 
proof system for a language L. We say that {P, V) is black-box zero-knowledge, if 
there exists a probabilistic polynomial-time algorithm S, so that for every proba- 
bilistic polynomial-time interactive machine V*, the ensembles {view(l.(a;)}a;gL 
and {x)}x^L are computationally indistinguishable. 

A. 5 Commitment Schemes 

Commitment schemes are used to enable a party, known as the sender, to commit 
itself to a value while keeping it secret from the receiver (this property is called 
hiding). Furthermore, the commitment is binding, and thus in a later stage when 
the commitment is opened, it is guaranteed that the “opening” can yield only a 
single value determined in the committing phase. 

Perfectly-binding commitments. In a perfectly binding commitment scheme, 
the binding property holds even for an all-powerful sender, while the hiding 
property is only guaranteed with respect to a polynomial-time bounded receiver. 

Non-interactive perfectly-binding commitment schemes can be constructed 
using any 1-1 one-way function (see Section 4.4.1 of [6]). Allowing interaction 
(in which the receiver first sends a single message), (almost) perfectly-binding 
commitment schemes can be obtained from any one-way function [15,12]. 
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Perfectly-hiding commitments. In a perfectly hiding commitment scheme, 
the binding property is guaranteed to hold only with respect to a probabilistic 
polynomial-time sender. On the other hand, the hiding property is information- 
theoretic. That is, the distributions of commitments to 0 and commitments to 1 
are identical (statistically-close) , and thus even an all-powerful receiver cannot 
know the value committed to by the sender. (See Section 4.8.2 of [6].) 

Perfectly hiding commitment schemes can be constructed from any one-way 
permutation [16]. However, constant-round schemes are only known to exist 
under stronger assumptions; specifically, assuming the existence of collision- 
resistant hash functions [17,4] or the existence of a collection of certified clawfree 
functions [7] (see also [6], Section 4. 8. 2. 3). 
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Abstract. In the setting of concurrent self composition, a single pro- 
tocol is executed many times concurrently by a single set of parties. In 
this paper, we prove that there exist many functionalities that cannot be 
securely computed in this setting. We also prove a communication com- 
plexity lower bound on protocols that securely compute a large class of 
functionalities in this setting. Specifically, we show that any protocol that 
computes a functionality from this class and remains secure for m con- 
current executions, must have bandwidth of at least m bits. Our results 
hold for the plain model (where no trusted setup phase is assumed), and 
for the case that the parties may choose their inputs adaptively, based 
on previously obtained outputs. While proving our impossibility result, 
we also show that for many functionalities, security under concurrent 
self composition (where a single secure protocol is run many times) is 
actually equivalent to the seemingly more stringent requirement of se- 
curity under concurrent general composition (where a secure protocol is 
run concurrently with other arbitrary protocols). This observation has 
signihcance beyond the impossibility results that are derived by it for 
concurrent self composition. 



1 Introduction 

In the setting of two-party computation, two parties with respective pri- 
vate inputs X and y, wish to jointly compute a functionality f{x,y) = 
2/)) f 2 (x, y)), such that the first party receives fi{x, y) and the second party 
receives f 2 {x, y). This functionality may be probabilistic, in which case f{x, y) is 
a random variable. Loosely speaking, the security requirements are that nothing 
is learned from the protocol other than the output (privacy), and that the out- 
put is distributed according to the prescribed functionality (correctness) . These 
security requirements must hold in the face of an adversary who controls one 
of the parties and can arbitrarily deviate from the protocol instructions (i.e., in 
this work we consider malicious, static adversaries). Powerful feasibility results 
have been shown for this problem, demonstrating that any two-party proba- 
bilistic polynomial-time functionality can be securely computed, assuming the 
existence of trapdoor permutations [21,11]. 

* A full version of this paper can be found on the Cryptology ePrint Archive. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 203-222, 2004. 
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Security under concurrent composition. The feasibility results of [21,11] 
relate only to the stand-alone setting, where a single pair of parties run a single 
execution. A more general (and realistic) setting relates to the case that many 
protocol executions are run concurrently within a network. Unfortunately, the 
security of a protocol in the stand-alone setting does not necessarily imply its 
security under concurrent composition. Therefore, it is important to re-establish 
the feasibility results of the stand-alone setting for the setting of concurrent 
composition, or alternatively, to demonstrate that this cannot be done. 

The notion of protocol composition can be interpreted in many ways. A very 
important distinction to be made relates to the context in which the protocol is 
executed. This refers to the question of which protocols are being run together 
in the network, or in other words, with which protocols should the protocol in 
question compose. There are two contexts that have been considered, defining 
two classes of composition: 

1. Self composition: A protocol is said to be secure under self composition if it 
remains secure when it alone is executed many times in a network. We stress 
that in this setting, there is only one protocol that is being run many times. 
This is the type of composition considered, for example, in the entire body 
of work on concurrent zero-knowledge (e.g., [9,20]). 

2. General composition: In this type of composition, many different protocols are 
run together in the network. Furthermore, these protocols may have been de- 
signed independently of one another. A protocol is said to maintain security 
under general composition if its security is maintained even when it is run 
along with other arbitrary protocols. This is the type of composition that 
was considered, for example, in the framework of universal composability [4]. 

We stress a crucial difference between self and general composition. In self com- 
position, the protocol designer has control over everything that is being run in 
the network. However, in general composition, the other protocols being run 
may even have been designed maliciously after the secure protocol is fixed. We 
note that this additional adversarial capability has been shown to yield practical 
attacks against real protocols [13]. 

Another distinction that we will make relates to the number of times a se- 
cure protocol is run. Typically, a protocol is expected to remain secure for any 
polynomial number of sessions. This is the “default” notion, and we sometimes 
refer to it as unbounded concurrency. A more restricted notion is that of bounded 
concurrency. In this case, a fixed bound on the number of concurrent executions 
is given, and the protocol need only remain secure when the number of concur- 
rent execution does not exceed this bound. (When the bound is m, we call this 
TO-bounded concurrency.) Note that the protocol may depend on this bound. 

Feasibility of security under composition. The notion of concurrent gen- 
eral composition was first studied by [19] who considered the case that a secure 
protocol is executed once concurrently with another arbitrary protocol. (A defi- 
nition and composition theorem were presented in [19], but no general feasibility 
results were demonstrated.) The unbounded case, where a secure protocol can 
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be run any polynomial number of times in an arbitrary network, was then con- 
sidered in the framework of universal composability [4]. Informally speaking, a 
protocol that is proven secure under the definition of universal composability is 
guaranteed to remain secure when run any polynomial number of times in the 
setting of concurrent general composition. This setting realistically models the 
security requirements in modern networks. Therefore, obtaining protocols that 
are secure by this definition is of great interest. On the positive side, it has been 
shown that in the case of an honest majority, essentially any functionality can 
be securely computed in this framework [4] . Furthermore, even when there is no 
honest majority, it is possible to securely compute any functionality in the com- 
mon reference string (CRS) model [8]. (In the CRS model, all parties have access 
to a common string that is chosen according to some distribution. Thus, this as- 
sumes some trusted setup phase.) However, it is desirable to obtain protocols in 
a setting where no trusted setup phase is assumed. Unfortunately, in the case of 
no honest majority and no trusted setup, broad impossibility results for univer- 
sal composability have been demonstrated [5,4,7]. Recently, it was shown in [16] 
that these impossibility results extend to any security definition that guarantees 
security under concurrent general composition (including the definition of [19]). 

Thus, it seems that in order to obtain security without an honest majority 
or a trusted setup phase, we must turn to self composition. Indeed, as a first 
positive step, it has been shown that any functionality can be securely computed 
under m-bounded concurrent self composition [14,18]. Unfortunately, however, 
these protocols are highly inefficient: The protocol of [14] has many rounds of 
communication and both the protocols of [14] and [18] have high bandwidth. 
(That is, in order to obtain security for m executions, the protocol of [14] has 
more than m rounds and communication complexity of at least mri^. In con- 
trast, the protocol of [18] has only a constant number of rounds, but still suffers 
from communication complexity of at least mvf .) In addition to the above pos- 
itive results, it has also been shown that there exist functionalities so that any 
protocol that securely computes one of them under m-bounded concurrent self 
composition, and is proven secure using black-box simulation, must have more 
than m rounds of communication [14]. These works still leave open the following 
important questions: 

1. Is it possible to obtain protocols that remain secure under unbounded con- 
current self composition, and if yes, for which functionalities? 

2. Is it possible to obtain efficient protocols that remain secure under un- 
bounded, or even m-bounded, concurrent self composition? (By efficient, we 
mean that at least, there should be no dependence on the bound m.) 

As we have mentioned, these questions are open for the case that no trusted setup 
phase is assumed and when there is no honest majority, as in the important two 
party case. 

Our results. In this paper, we provide negative answers to the above two 
questions. More precisely, we show that there exist large classes of functionalities 
that cannot be securely computed under unbounded concurrent self composition. 
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We also prove a communication complexity lower bound for protocols that are 
secure under m-bounded concurrent self composition. This is the first lower 
bound of this type, connecting the communication complexity of a protocol with 
the bound on the number of executions for which it remains secure. 

Theorem 1 (impossibility for unbounded concurrency - informal): There exist 
large classes of two-party functionalities that cannot he securely computed under 
unbounded concurrent self composition, by any protocol. 

In order to prove this result, we show that for many functionalities, obtaining 
security under unbounded concurrent self composition is actually equivalent to 
obtaining security under concurrent general composition (that is, a protocol is 
secure under one notion if and only if it is secure under the other). This may 
seem counter-intuitive, because in the setting of self composition, the protocol 
designer has full control over the network. Specifically, the only protocol that is 
run in the network is the specified secure protocol. In contrast, in the setting of 
general composition, a protocol must remain secure even when run concurrently 
with arbitrary other protocols. Furthermore, these protocols may be designed 
maliciously in order to attack the secure protocol. Despite this apparent differ- 
ence, we show that equivalence actually holds. 

The above-described equivalence between concurrent self and general com- 
position is proven for all functionalities that “enable bit transmission” . Loosely 
speaking, such a functionality can be used by each party to send any arbitrary 
bit to the other party. Essentially, any non-constant functionality that depends 
on both party’s inputs, and where both parties receive output, has this property; 
see Section 2.3. We note that in a model where the parties can play different 
roles in the computation (e.g., if zero-knowledge is being computed, then in 
some executions a party plays the prover and in others it plays the verifier), 
then any functionality with the property that one party’s output depends on 
the other party’s input actually enables bit transmission. In Section 3, we prove 
the following theorem: 

Theorem 2 (equivalence of self and general composition - informal): Let f he 
a two-party functionality that enables hit transmission. Then, f can he securely 
computed under unbounded concurrent self composition if and only if it can he 
securely computed under concurrent general composition. 

The above equivalence holds for any functionality that enables bit transmission. 
In the full version of this paper, we show that an analogue of Theorem 2 does not 
hold for functionalities that do not enable bit transmission. In the full version, 
we also show that in the above-mentioned model where the parties can play 
different roles in the computation, then concurrent self composition is equivalent 
to concurrent general composition, for all functionalities. 

Returning back to the proof of Theorem 1, impossibility is derived by com- 
bining the equivalence between concurrent self and general composition as stated 
in Theorem 2 with the impossibility results for concurrent general composition 
that were demonstrated in [16]. This answers the first question above, at least 
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in that it demonstrates impossibility for large classes of functionalities. (It is 
still far, however, from a full characterization of feasibility.) Regarding the sec- 
ond question, we prove the following theorem that rules out the possibility of 
obtaining “efficient” protocols for m-bounded concurrency: 

Theorem 3 (communication complexity lower bound - informal) : There exists 
a large class of two-party functionalities so that any protocol that securely com- 
putes a functionality in this class under m-bounded concurrent self composition, 
must have communication complexity of at least m. 

Theorem 3 is essentially proven by directly combining the proof of Theorem 2 
with proofs of impossibility from [16] and [7]; see Section 5. 

Remarks. We stress that the above results are unconditional. That is, im- 
possibility holds without any complexity assumptions. Furthermore, we assume 
nothing about the simulation, and in particular do not assume that it is “black- 
box”. We also note that although Theorems 1 and 3 are stated for two-party 
functionalities, they immediately imply impossibility results for multi-party func- 
tionalities as well. This is because secure protocols for multi-party functionalities 
can be used to solve two-party tasks as well. 

It is important to note that our definition of security under concurrent self 
composition is such that honest parties may choose their inputs adaptively, based 
on previously obtained outputs. This is a seemingly harder definition to achieve 
than one where the inputs to all the executions are fixed ahead of time. We 
stress that allowing the inputs to be chosen adaptively is crucial to the proof 
of our impossibility results. Nevertheless, we believe that this is also the desired 
definition (since in real settings, outputs from previous executions may indeed 
influence the inputs of later executions) . 

Other related work. The focus of this work is the ability to obtain secure 
protocols for solving general tasks. However, security under concurrent compo- 
sition has also been studied for specific tasks of interest. Indeed, the study of 
security under concurrent composition was initiated in the context of concur- 
rent zero knowledge [10,9], where a prover runs many copies of a protocol with 
many verifiers. Thus, these works consider the question of security under self 
composition. This problem has received much attention; see [20,6,1] for just a 
few examples. Other specific problems have also been considered, but are not 
directly related to this paper. 



2 Definitions 

In this section, we present definitions for security under concurrent self compo- 
sition and concurrent general composition, and we define the notion of functions 
that enable bit transmission. We denote the equivalence of distributions by =, 
computational indistinguishability by =, and the security parameter by n. The 
adversary always runs in time that is polynomial in n. 
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2.1 Concurrent Self Composition of Two-Party Protocols 

We begin by presenting the definition for security under concurrent self composi- 
tion. The basic description and definition of secure computation follows [12,2,17, 
3]. Due to lack of space in this abstract, we present a slightly abridged definition 
and refer to the full version of this paper and [14] for full definitions. (Note that 
our definition here actually differs from [14] in that here the honest parties may 
adaptively choose their input to a session as a function of previously obtained 
outputs.) 

Two-party computation. A two-party protocol problem is cast by spec- 
ifying a random process that maps pairs of inputs to pairs of outputs (one 
for each party). We refer to such a process as a functionality and denote it 
/ : {0,1}* X {0,1}* -)> {0,1}* X {0,1}*, where / = (/i,/ 2 ). That is, for ev- 
ery pair of inputs (x, y), the output-pair is a random variable (/i(x, y), f 2 {x, y)) 
ranging over pairs of strings. The first party (with input x) wishes to obtain 
fi{x,y) and the second party (with input y) wishes to obtain f 2 {x,y). We often 
denote such a functionality by {x,y) i— {f\{x,y), f 2 {x,y)). Thus, for example, 
the zero-knowledge proof of knowledge functionality for a relation R is denoted 
by {{x, w),X) I— >■ (A, (x, R{x, w))). In the context of concurrent composition, each 
party actually uses many inputs (one for each execution), and these may be 
chosen adaptively based on previous outputs. We consider both concurrent self 
composition (where the number of executions is unbounded) and m-bounded 
concurrent self composition (where the number of concurrent executions is a 
priori bounded by m and the protocol design can depend on this bound). 

Adversarial behavior. In this work we consider a malicious, static adversary 
that runs in time that is polynomial in the security parameter. Such an adversary 
controls one of the parties (who is called corrupted) and may then interact with 
the honest party while arbitrarily deviating from the specified protocol. Our 
definition does not guarantee any fairness. That is, the adversary always receives 
its own output and can then decide when (if at all) the honest party will receive 
its output. The scheduling of message delivery is decided by the adversary. 

Security of protocols (informal) . The security of a protocol is analyzed by 
comparing what an adversary can do in the protocol to what it can do in an 
ideal scenario that is trivially secure. This is formalized by considering an ideal 
computation involving an incorruptible trusted third party to whom the parties 
send their inputs. The trusted party computes the functionality on the inputs 
and returns to each party its respective output. Unlike in the case of stand-alone 
computation, here the trusted party computes the functionality many times, each 
time upon different inputs. Loosely speaking, a protocol is secure if any adversary 
interacting in the real protocol (where no trusted third party exists) can do no 
more harm than if it was involved in the above-described ideal computation. 

Concurrent executions in the ideal model. In an ideal execution, the par- 
ties P\ and P 2 interact with a trusted third party, sending it inputs and receiv- 
ing back outputs. Party P\ and P 2 's inputs are determined by polynomial-size 
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input-deciding circuit families X = {X„}„gN and Y = {F„}n 6 N, respectively. 
The circuits X„ and Y„ are polynomial in n and output exactly n bits. These 
circuits determine the length-n input values to be used, based on the current 
session number and previous outputs. Note that the number of previous outputs 
ranges from zero (for the case that no previous outputs have yet been obtained) 
to some fixed polynomial in n (that depends on the number of session initiated 
by the adversary).^ Now, the ideal execution proceeds as follows. Whenever the 
adversary wishes to initiate a new session, it sends a start-session message to the 
trusted party. The trusted party then sends (start-session, z) to the honest party, 
where i is the index of the session (i.e., this is the z*^ session to be started). 
Upon receiving (start-session, z) from the trusted party, the honest party applies 
its input-deciding circuit to (z) and its previous outputs, and obtains a new input 
Vi for this session. The honest party then sends (z,Vi) to the trusted party. 

Whenever it wishes, the adversary can then send a message (i,Wi) to the 
trusted party, for any Wi € {0, 1}" of its choice. Upon sending this pair, it 
receives back its output from the trusted party, computed upon inputs (vi,Wi). 
Following this, but again whenever it wishes, the adversary can instruct the 
trusted party to send the honest party its z*'' output; the adversary does this by 
sending a (send-output, z) message to the trusted party. Finally, at the conclusion 
of the execution, the honest party outputs the vector of outputs that it received 
from the trusted party, and the adversary may output an arbitrary (probabilistic 
polynomial-time computable) function of its auxiliary input z, the corrupted 
party’s input-deciding circuit and the outputs obtained from the trusted party. 

Let / : {0, 1}* X {0, 1}* >->■ {0, 1}* x {0, 1}* be a functionality, and let S be 
a non-uniform probabilistic polynomial-time machine (representing the ideal- 
model adversary). Then, the ideal execution of / (on input-deciding circuits 
(Xn,Yn) and auxiliary input z to S), denoted ideal/_ 5(X„, U„, z), is defined 
as the output pair of the honest party and S from the above ideal execution. 

(We note that the definition of the ideal model does not differ for the case 
that unbounded concurrency or m-bounded concurrency is considered. This is 
because this bound is relevant only to the scheduling allowed to the adversary 
in the real model; see below.) 

Execution in the real model. We next consider the real model in which a 
real two-party protocol is executed (and there exists no trusted third party). Let 
/ be as above and let p be a polynomial-time two-party protocol for computing 
/. (We say that a protocol is polynomial-time if the running-time of the honest 
parties in a single execution is bound by a fixed polynomial.) In addition, let 
A he a, non-uniform probabilistic polynomial-time machine that controls either 
Pi or P2- Then, the real concurrent execution of p (with input-deciding circuits 
(Xn,Yn) and auxiliary input z to A), denoted REALp_^(X„, z), is defined as 
the output pair of the honest party and A, resulting from the following process. 
The parties run concurrent executions of the protocol, where the z*^ session is 
initiated by the adversary by sending a start-session message to the honest party. 



^ By convention, if the number of previously obtained outputs is greater than the 
maximum input length to the circuit, then we define the next input to be T. 
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The honest party then applies its input-deciding circuit on (i) and its previous 
outputs in order to obtain the input for this new session. (As in the ideal model, 
if the length of all previous outputs is greater than the maximum input length 
to the input-deciding circuit, then the next input is taken as _L.) The scheduling 
of all messages throughout the executions is controlled by the adversary. That 
is, the execution proceeds as follows. The adversary sends a message of the form 
(i, a) to the honest party. The honest party then adds the message a to the view 
of its i**' execution of p and replies according to the instructions of p and this 
view. The adversary continues by sending another message (j, /?), and so on. We 
note that there is no restriction on the scheduling allowed by the adversary. (We 
sometimes refer to this as unbounded concurrency, in order to distinguish it from 
TO-bounded concurrency that is defined next.) 

In addition to the above setting where no restriction is placed on the schedul- 
ing, we also consider m-bounded concurrency, where the scheduling by the ad- 
versary must fulfill the following condition: for every execution i, from the time 
that the i**' execution begins until the time that it ends, messages from at most 
m different executions can be sent. (Formally, view the schedule as the ordered 
series of messages of the form (index, message) that are sent by the adversary. 
Then, in the interval between the beginning and termination of any given exe- 
cution, the number of different indices viewed can be at most m.) We note that 
this definition of concurrency covers the case that m executions are run simulta- 
neously. However, it also includes a more general case where many more than m 
executions take place, but each execution overlaps with at most m other execu- 
tions. In this setting, the value m is fixed ahead of time, and the protocol design 
may depend on the choice of m. We denote the output of the adversary and 
honest party in the setting of m-bounded concurrency by REAL™_^(A„, Yn,z). 

Security as emulation of a real execution in the ideal model. Having 
defined the ideal and real models, we can now define security of protocols. Loosely 
speaking, a protocol is secure if for every real-model adversary A there exists an 
ideal model adversary S such that for all polynomial-size input-deciding circuits, 
the outcome of an ideal execution with S is computationally indistinguishable 
from the outcome of a real protocol execution with A. One important technical 
issue which arises here is due to the fact that the same S must work for all 
polynomial-size input-deciding circuits. In particular, this means that the honest 
parties (who compute their inputs in every execution from these circuits) may 
run longer than S can run (specifically, the size of the input-deciding circuits 
may be greater than S’s running time).^ This is an “unfair” requirement on 
S and we therefore allow a different ideal-model adversary S for every “size” 
circuit. That is, we require that for every real adversary A and polynomial q{-) 
there exists an ideal adversary S that works for all input-deciding circuit families 
X = {Xn} and Y = {Y„} of size 0(q(n)). We stress that any protocol that is 
secure when S must work for all polynomial-size input-deciding circuits is also 

^ We note that the number of executions is not a problem because this is determined 
by A, and S comes after A in the order of quantifiers. 
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secure under this relaxation. This modification therefore only strengthens our 
impossibility results.^ We now present the definition: 

Definition 1 (security under concurrent self composition): Let f and p he as 
above. Protocol p is said to securely compute / under concurrent self composition 
if for every real-model non-uniform probabilistic polynomial-time adversary A 
controlling party Pi for i G {1,2} and every polynomial q{-), there exists an 
ideal-model non-uniform probabilistic polynomial-time adversary S controlling 
Pi, such that for all families of input- deciding circuits X = {X„}„gN and Y = 
of size at most 0{q{n)), and every auxiliary input z G (0, 1}*, 

/ IDEALy ,5 ( , 2:) \ z) \ 

I ) n^N J n^N 

Let m = m{n) be a fixed polynomial. Then, we say that p securely computes / 
under m-bounded concurrent self composition if 

/ IDEALy ,5 ( , z) \ / REAL^ z) \ 

Non-trivial protocols. Notice that by the definition of security in the ideal 
model, the honest party is never guaranteed to receive output. Therefore, the 
“real” protocol that just hangs and does not provide output to any party is 
actually secure by definition (and so our impossibility results cannot apply to 
all protocols). We therefore introduce the notion of non-trivial protocols. Such a 
protocol has the property that if the real-model adversary instructs the corrupted 
party to act honestly (i.e., follow the protocol specification), then both parties 
receive output. 

2.2 Concurrent General Composition of Two-Party Protocols 

Informally speaking, concurrent general composition considers the case that a 
secure protocol p runs concurrently with an arbitrary other protocol tt. Further- 
more, the inputs to p can be influenced (or actually determined) by protocol tt. 
In the formalization of this setting, tt is a “controlling protocol” that among 
other things, contains ideal calls to a trusted party that computes a functional- 
ity /. When these calls are replaced by executions of p, we denote the composed 
protocol by tt^. We stress that, in addition to representing a “controlling proto- 
col” , 7T can also represent arbitrary protocols that are running concurrently with 
p in the network. Therefore, by requiring that p remains secure for every calling 
protocol 7T, we derive that p remains secure when executed in any network with 
any set of protocols running. See [16] for more discussion. 

® The reason that we insist on allowing a different S for every q{-) is due to the fact 
that, otherwise, it would turn out that concurrent general composition does not 
imply concurrent self composition. This would be absurd. We stress that our proof 
that concurrent self composition implies concurrent general composition holds in any 



case. 
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Let p be as above and assume that it computes a functionality /. Then, 
the security of p when composed with tt in the real model is formalized by 
comparing the tt^ composition to a hybrid execution where tt uses ideal calls to 
a trusted party computing the functionality /. If the results of the hybrid and 
real executions are indistinguishable, then this means that a real execution of p 
behaves like an ideal call to /, even when run concurrently with tt. 

The hybrid model. Let tt be an arbitrary polynomial-time protocol that uti- 
lizes ideal interaction with a trusted party computing a two-party functionality 
/. This means that tt contains two types of messages: standard messages and 
ideal messages: A standard message is one that is sent between the parties that 
are participating in the execution of tt; an ideal message is one that is sent by 
a participating party to the trusted third party, or from the trusted third party 
to a participating party. This trusted party computes / and associates all ideal 
messages with /. Notice that the computation of tt is a “hybrid” between the 
ideal model (where a trusted party carries out the entire computation) and the 
real model (where the parties interact with each other only). Specifically, the 
messages of tt are sent directly between the parties, and the trusted party is 
only used in the ideal calls to /. 

The interaction with the trusted party is exactly according to the description 
of concurrent executions in the ideal model, as described in Section 2.1. In con- 
trast, the standard messages are dealt with exactly according to the description 
of the real model, as described in Section 2.1. More formally, computation in the 
hybrid model proceeds as follows. The computation begins with the adversary 
receiving the input and random tape of the corrupted party. Throughout the 
execution, the adversary sends any standard and ideal messages that it wishes 
in the name of this party (where the format of the ideal messages is as defined in 
the ideal execution in Section 2.1). The honest party always follows the specifi- 
cation of protocol 7T. Specifically, upon receiving a message (from the adversary 
or trusted party), the party reads the message, carries out a local computation 
as instructed by tt, and sends standard and/or ideal messages, as instructed by 
7T. At the end of the computation, the honest party writes the output value 
prescribed by tt on its output tape and the adversary outputs an arbitrary func- 
tion of its view. Let n be the security parameter, let S be an adversary for the 
hybrid model with auxiliary input z, and let x,y G {0,1}" be the parties’ re- 
spective inputs to TT. Then, the hybrid execution of tt with functionality /, denoted 
HYBRID^ g{x, y, z), is defined as the output of the adversary S and of the honest 
party from the above hybrid execution. 

The real model — general composition. Let p be a polynomial-time two- 
party protocol for computing the functionality /. Intuitively, the composition 
of protocol TT with p is such that p takes the place of the interaction with the 
trusted party that computes /. Formally, each party holds separate probabilistic 
interactive Turing machines (ITMs) that work according to the specification of 
protocol p for that party. When tt instructs a party to send an ideal message a 
to the trusted party, the party writes a on the input tape of a new ITM for p 
and invokes the machine. Any message that it receives that is marked for this 
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execution of p, it forwards to this ITM, and all other messages are answered 
according to tt. (The different executions of p are distinguished with indices, 
as described in Section 2.1. Furthermore, 7r-messages are distinguished from p- 
messages with a unique index/symbol for tt.) Finally, when an execution of p 
concludes and a value /? is written on the output tape of an ITM, the party 
copies (3 to the incoming communication tape for tt, as if /3 is an ideal message 
(i.e., output) received from the trusted party. This composition of tt with p is 
denoted tt'’ and takes place without any trusted help. Let n be the security 
parameter, let A be an adversary for the real model with auxiliary input z, and 
let x,y G {0, 1}” be the parties’ respective inputs to tt. Then, the real execution 
of 7T with p, denoted REAL,rP,. 4 (a^, 2/, z), is defined as the output of the adversary 
A and of the honest party from the above real execution. 

Security as emulation of a real execution in the hybrid model. Having 
defined the hybrid and real models, we can now define security of protocols. 
Loosely speaking, the definition asserts that for any context, or calling protocol 
TT, the real execution of emulates the hybrid execution of tt which utilizes ideal 
calls to /. The fact that the above emulation must hold for every protocol tt that 
utilizes ideal calls to /, means that general composition is being considered. 

Definition 2 (security under concurrent general composition): Let p he a poly- 
nomial-time two-party protocol and f a two-party functionality. Then, p securely 
realizes / under concurrent general composition if for every polynomial-time proto- 
col TT that utilizes ideal calls to f and every non-uniform probabilistic polynomial- 
time real-model adversary A for ttP , there exists a non-uniform probabilistic 
polynomial-time hybrid-model adversary S such that for all inputs x,y G {0, 1}” 
and all auxiliary inputs z G {0, 1}*, 

|hybrid{ 5(3;,2/,z)|^^^ = {REAWp,^(a;, y, 

Note that non-trivial protocols are also defined for general composition. Once 
again, the requirement is that if A instructs the corrupted party to act honestly 
in the execution of p, then the honest party receives its output from p. 

2.3 Functionalities That Enable Bit Transmission 

Informally speaking, a functionality enables bit transmission if it can be used by 
the parties to send bits to each other. For example, the “equality functionality”, 
where both parties receive the output, enables bit transmission as follows. The 
party who wishes to receive a bit inputs a predetermined value, say 1. Then, if 
the sending party wishes to send a bit 0, it inputs 0 (in this case, the inputs are 
not equal and so the output of the computation is 0). On the other hand, if the 
sending party wishes to send the bit 1, then it inputs 1 (thus, the inputs are 
equal and the output is 1). Notice that a functionality enables bit transmission 
only if both parties are able to send bits to each other. Therefore, functional- 
ities like oblivious transfer and zero-knowledge do not enable bit transmission. 
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because only one party receives output. Nevertheless, by considering a more 
general setting where both parties can play both roles in the functionality (e.g., 
both parties can prove statements in zero-knowledge and both parties can play 
the sender in the oblivious transfer), we obtain that any functionality with the 
property that one party’s output depends on the other party’s input actually 
enables bit transmission. This generalization is dealt with in the full version of 
this paper. We now present the formal definition: 

Definition 3 (functionalities that enable bit transmission): A deterministic 
functionality f = (/i,/2) enables bit transmission from Pi to P2 if there exists an 
input y for P2 and a pair of inputs x and x' for Pi such that f2{x, y) yf f2{x' , y). 
Likewise, f = (/i,/2) enables bit transmission from P2 to Pi if there exists an 
input X for Pi and a pair of inputs y and y' for P2 such that fi (x,y) yf fi{x,y'). 
We say that a functionality enables bit transmission if it enables hit transmission 
from Pi to P2 and from P2 to Pi . 

We note that the notion of enabling bit transmission can be generalized to prob- 
abilistic functionalities in a straightforward way. 

3 Self Composition versus General Composition 

In this section we show that if a functionality / enables bit transmission, then a 
protocol p securely computes / under (unbounded) concurrent self composition if 
and only if it securely computes / under concurrent general composition. Thus, 
the difference between self and general composition no longer holds for such 
functionalities. We stress that there is nevertheless a difference between these 
notions when bounded composition is considered. Specifically, security under 
bounded-concurrency can be achieved for self composition [14,18], but cannot be 
achieved for general composition [16]. (By bounded concurrency in the setting 
of general composition, we mean that the number of executions of the secure 
protocol is a priori bounded, exactly like in self composition. In contrast, there 
is no bound on the calling protocol tt.) 

Theorem 4 Let f be a two-party functionality that enables hit transmission, 
and let p he a polynomial-time protocol. Then, p securely computes f under 
{unbounded) concurrent self composition if and only if p securely computes f 
under concurrent general composition. 

Intuitively, security under general composition implies security under self com- 
position because in both cases, many copies of the secure protocol are run; the 
only difference is that in the setting of general composition, other protocols may 
also be run. The other, more interesting direction, is proven as follows. Loosely 
speaking, the parties use the “bit transmission property” of / in order to emulate 
an execution of tt^, while only running copies of p (recall that denotes the 
concurrent general composition of a secure protocol p with an arbitrary other 
protocol 7t). This can be carried out by sending the messages of tt one bit at 
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a time, via executions of the protocol p that computes /. Thus, it is possible 
to emulate the setting of concurrent general composition, within the context of 
concurrent self composition. The proof of Theorem 4 appears in the full version 
of this paper. As we have mentioned, we also show that in a model where the 
parties can play different roles in the computation, full equivalence holds between 
concurrent self composition and concurrent general composition. 

In the full version of this paper, we also show a separation between concur- 
rent self composition and concurrent general composition, for functions that do 
not enable bit transmission. Specifically, we show that the zero-knowledge proof 
of knowledge functionality (for an NP-complete language) can be securely com- 
puted under concurrent self composition. However, in [16], it has been shown 
that this cannot be achieved under concurrent general composition. 



4 Impossibility for Concurrent Self Composition 

An important ramification of Theorem 4 is that known impossibility results for 
concurrent general composition apply also to unbounded concurrent self com- 
position, as long as the functionality in question enables bit transmission. As we 
will see, this rules out the possibility of obtaining security under concurrent self 
composition for large classes of two-party functionalities. We stress that the im- 
possibility results are unconditional. That is, they hold without any complexity 
assumptions and for any type of simulation (in particular they are not limited 
to “black-box” simulation). 

Impossibility for concurrent general composition. The following impos- 
sibility results for concurrent general composition were shown in [16]: 

1. Let / : {0, l}*x {0, 1}* — >■ {0, 1}* be a deterministic functionality. If / depends 
on both parties’ inputs,"* then the functionality {x,y) — >■ {f{x,y),f{x,y)) 
cannot be securely computed under concurrent general composition by any 
non-trivial protocol. (Recall that a protocol is non-trivial if it generates 
output when both parties are honest.) 

2. Let / : {0, 1}* x {0, 1}* — >■ {0, 1}* x {0, 1}* be a deterministic functionality 
and denote / = (/i,/ 2 )- If / is not completely revealing,^ then the func- 
tionality (x,y) — >■ (fi{x,y), f2{x,y)) cannot be securely computed under 
concurrent general composition by any non-trivial protocol. 

Impossibility results for concurrent self composition. Let be the set 

of functionalities described above, that cannot be securely realized under con- 
current general composition and let S' be the set of all two-party functionalities 
that enable message transmission. Applying Theorem 4 to the results of [16], we 
obtain the following corollary: 

* Formally, a functionality / depends on both inputs if there exist xi,X2,y and x, j/i, j/2 
such that f{xi,y) / f{x2,y) and f{x,yi) 7^ f(x,y2). 

® The dehnition of completely revealing functionalities can be found in Section 5 . 
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Corollary 5 Let f be a functionality in’PD'L. Then, f cannot he securely com- 
puted under unbounded concurrent self composition by any non-trivial protocol. 



The set of functionalities <P (1 T contains all the functionalities ruled out in 
[16] that also enable bit transmission. For example, Yao’s famous millionaires’ 
problem (i.e., the computation of the “less than” functionality), where both 
parties receive the output, is included in this set. 

5 Communication Complexity Lower Bound 

In this section we prove that for a class of functionalities if, if a protocol p 
securely computes a functionality f € iF under m-bounded concurrent composi- 
tion, and / enables bit transmission, then p must have bandwidth of at least m 
bits. We prove this for one class of functionalities T, although the proof can be 
extended to other classes of functionalities that suffer from the impossibility re- 
sult stated in Corollary 5. The proof of our lower bound combines ideas from [7] 
and [16], together with the proof of Theorem 4. 

Functionalities that are completely revealing. We prove the lower bound 
for one class of functionalities: those that do not “completely reveal P\ or P 2 S 
input”, and enable bit transmission. In order to state this, we need to formally 
define what it means for a functionality to be “completely revealing”. Loosely 
speaking, a (deterministic) functionality completely reveals party Pi’s input, if 
party P 2 can choose an input that will enable it to completely determine Pi’s 
input (no matter what Pi’s input is). That is, a functionality / completely reveals 
Pi’s input if there exists an input y for P 2 so that for every x, it is possible to 
derive x from f(x,y). For example, let us take the maximum functionality for a 
given range, say {0, . . . ,n}. Then, party P 2 can input y = 0 and the result is 
that it will always learn Pi’s exact input. In contrast, the less-than functionality 
is not completely revealing because for any input used by P 2 , there will always 
be uncertainty about Pi’s input (unless Pi’s input is the smallest or largest 
in the range). For our lower bound here, we will consider functionalities over 
finite domains only. This significantly simplifies the definition of “completely 
revealing” . However, our proof holds for the general case as well; see the full 
version of [7] for a complete definition. 

We begin by defining what it means for two inputs to be “equivalent”: Let 
/ : XxY — >• {0, l}*x{0, 1}* be atwo-party functionality and denote / = (/i, / 2 )- 
Let X, x' € X. We say that x and x' are equivalent with respect to /2 if for every 
y £ Y it holds that f 2 {x,y) = f 2 {x',y). Notice that if x and x' are equivalent 
with respect to / 2 , then x can always be used instead of x' (at least regarding 
P 2 S output). We now define completely revealing functionalities: 

Definition 6 (completely revealing functionalities over finite domains): Let f : 
XxY ^ {0, 1}* X {0, 1}* be a deterministic two-party functionality such that the 
domain X xY is finite, and denote f = (/i,/ 2 )- We say that the functionality 
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/2 completely reveals Pi’s input if there exists a single input y € Y for P2, such 
that for every pair of values x,x' € X that are not equivalent with respect to 
f2, it holds that f2(x, y) ^ f2{x' , y). Complete revealing for P2 ’s input is defined 
analogously. We say that a functionality is completely revealing if fi completely 
reveals P2 ’s input or f2 completely reveals P\ ’s input. 

If a functionality completely reveals Pi’s input, then party P2 can set its own 
input to be y from the definition, and then P2 will always obtain the exact input 
used by Pi, or one that is equivalent to it. Specifically, given y and f2{x,y), it 
can traverse over all X and find the unique x that must be Pi’s input (or one 
equivalent to it). Thus we see that Pi’s input is completely revealed by /2. In 
contrast, if a functionality /2 does not completely reveal Pi’s input, then there 
does not exist such an input for P2 that enables it to completely determine Pi’s 
input. This is because for every y that is input by P2, there exist two non- 
equivalent inputs X and x' such that f2{x, y) = f2(x', y). Therefore, if Pi’s input 
is x or x', it follows that P2 is unable to determine which of these inputs were 
used by Pi. Notice that if a functionality is not completely revealing, P2 may still 
learn much of Pi ’s input (or even the exact input “most of the time” ) . However, 
there is a possibility that P2 will not fully obtain Pi’s input. As we will see, the 
existence of this “possibility” suffices for proving the lower bound. Note that we 
require that x and x' be non-equivalent because in such a case, x and x' are 
really the same input and so, essentially, both x and x' are Pi’s input. 

The statement of the theorem below refers to the bandwidth of a protocol p. 
This is defined to be the total number of bits sent by both parties in a protocol 
execution. We are now ready to state the lower bound: 

Theorem 7 Let f = (/i,/ 2 ) be a deterministic two-party functionality over a 
finite domain that is not completely revealing and enables bit transmission. If 
a non-trivial protocol p securely computes f under m-bounded concurrent self 
composition, then the bandwidth of p is greater than or equal to m. 

Proof: As a first step, we note that the proof of Theorem 4 actually proves 
something stronger than the theorem statement. Before showing this, we first 
define the bandwidth of a hybrid-model protocol tt that utilizes ideal calls to / 
to equal the total number of bits sent by the parties to each other, plus a single 
bit for each call to /.® Now, let tt be a hybrid-model protocol that utilizes ideal 
calls to /, and has bandwidth at most m. Then, in the proof of Theorem 4, we 
actually showed that if / enables bit transmission, then m invocations of p suffice 
for perfectly emulating tt'’ (one invocation for each bit of tt and one invocation 
for replacing each ideal call to /). In other words, for any protocol it of bandwidth 
at most m, an execution of tt^ can be emulated using m concurrent executions of 
p. Furthermore, this yields a simulator for the hybrid-model execution of tt with 
/. Thus, security under m-bounded concurrent self composition implies security 

® This may seem to be a strange way to count the bandwidth of a hybrid-model pro- 
tocol. However, what we are really interested in is the bandwidth of a real protocol; 
this is just a tool to reach that aim and defining it in this way simplifies things. 
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under concurrent general composition for protocols tt of bandwidth at most m. 
We conclude that the following claim holds: 

Claim 8 Let f be a two-party functionality that enables bit transmission, and let 
p be a polynomial-time protocol. If p securely computes f under m-bounded con- 
current self composition, then for every hybrid-model polynomial-time protocol tt 
of bandwidth at most m that utilizes ideal calls to f and for every non-uniform 
probabilistic polynomial-time real-model adversary A for tt^, there exists a non- 
uniform probabilistic polynomial-time hybrid-model adversary S such that for all 
x,y € {0, 1}” and all z € {0, 1}*, 

{HYBRiD^_^(a;, y, z)}„eN ^ {REAL^P,^(a;, y, z)}„6n (1) 

We now proceed with the actual proof of Theorem 7. Let / = (/i,/ 2 ) be a 
deterministic two-party functionality over a finite domain, such that / is not 
completely revealing and enables bit transmission. We prove the theorem for the 
case that /2 does not completely reveal Pi’s input; the other case is analogously 
proven. Assume, by contradiction, that there exists a protocol p that securely 
computes / under m-bounded concurrent self composition, and has bandwidth 
less than m. We then show that in such a case, it is possible to construct a 
protocol TT that utilizes ideal calls to / and has bandwidth at most m, such 
that TT has the following property: There exists a real-model adversary A for tt^ 
such that no hybrid- model adversary /simulator S can cause Eq. (1) of Claim 8 
to hold. This thereby contradicts Claim 8, and we conclude that if p securely 
computes / under m-bounded concurrent self composition, then it must have 
bandwidth of at least m. 

Protocol TT of bandwidth m: Protocol tt works as follows. Party P2 receives for 
input two uniformly chosen values x X and y Y. (Note that since security 
must hold for all inputs, it must also hold for uniformly chosen inputs.) Then, 
P 2 sends the input y to the trusted party for an ideal call to /. In addition, P 2 
runs the instructions of Pi in p with input x. At the conclusion, P 2 outputs 1 
if and only if the output that it receives from the trusted party is f 2 {x,y). This 
completes the instructions for P 2 . Regarding the instructions for Party Pi, it 
actually makes no difference because this party will always be corrupted in tt. 
Nevertheless, in order for tt to make sense, one can define Pi in an analogous 
way to P 2 . This completes the description of tt. Note that by the assumption 
that p has bandwidth of less than m, the protocol tt has bandwidth less than or 
equal to m (if p has bandwidth m— 1, then tt will have bandwidth m by adding 1 
for the single ideal call to /). 

We stress that P 2 S, instructions in protocol tt are not equivalent to its in- 
structions in p. This is because in tt, party P 2 follows the instructions of Pi in p. 
However, such behaviour may not be in accordance with p, because Pi’s instruc- 
tions in p may not be symmetric with P 2 S instructions (e.g., see the protocols 
of [15,18] that use asymmetrical instructions in an inherent way). Nevertheless, 
by Claim 8, protocol p must remain secure for all protocols tt of bandwidth at 
most m, and in particular, for the protocol tt above. 
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Real-model adversary A for tt^: Let A be an adversary who controls the corrupted 
party Pi. Before describing A, notice that the composed protocol tt^ essentially 
consists of two executions of p: in one of the executions, each party plays its 
designated role (these are the p-messages) and in the other, the parties play 
reversed roles (these are the 7r-messages) . Adversary A works as follows. When 
P2 sends the first p-message to P\J adversary A forwards this same message 
back to P2 as if it is Pi’s first tt- message to P2. Then, when P2 answers this 
TT-message (according to Pi’s instructions in p and with input x), A forwards it 
back to P2 as if it is a p-message from Pi . 

Since party P2 runs the p-instructions of Pi in tt, the execution of with 
adversary A amounts to P2 playing both roles in a single execution of p, where 
input X is used for Pi’s role and input y is used for P2’s role. Furthermore, P2 
plays both roles honestly and according to the respective instructions of Pi and 
P2. Therefore, the transcript is identical to the case that two honest parties Pi 
and P2 run p with respective inputs x and y. By the security of p and the fact 
that it is a non-trivial protocol, we have that except with negligible probability, 
P2 receives the P2-output from this execution of p, and that this output must 
equal f2{x,y). (This follows from the guaranteed behaviour of such a protocol 
when two honest parties participate.) Now, since P2 outputs 1 in tt if and only 
if it receives f2{x,y) from the trusted party, we have that it outputs 1 in the 
7T^ execution with A, except with negligible probability (recall that in tt^, the 
output from p is treated by P2 as if it was received from the trusted party). 

Hybrid-model adversary S for tt: By the assumption that p is secure under m- 
bounded concurrent self composition and from Claim 8, we have that there exists 
a probabilistic polynomial-time hybrid-model adversary S such that: 

{hybrid^ ^(A, { x , p), A)} = {reawp,^(A, (x, y), A)} (2) 

Notice here that P2’s input is (x,y) as described above and we can assume that 
Pi’s input and the adversary’s auxiliary input are empty strings. 

We now make an important observation about the hybrid-model simulator S 
from Eq. (2). In the ideal execution, with overwhelming probability, S must send 
the trusted party an input x € X such that for every y €Y, /2(i, y) = /2(x, y), 
where x is from P2’s input to tt. In other words, S must send the trusted party 
a value x that is equivalent to P2’s input x. Otherwise, P2’s output from the 
hybrid and real executions will be distinguishable. In order to see this, recall that 
in a real execution with A, party P2 outputs 1 except with negligible probability. 
Therefore, the same must be true in the hybrid execution. However, if S sends 
an input x for which there exists a y so that /2(i,y) ^ /2(x,y), then with 
probability 1/|T| party P2 will output 0; specifically when P2’s input y equals 
this y (note that since Y is finite, this is a constant probability). This argument 
works because P2 does not use y in any messages sent to S in the hybrid-model 
execution of tt. Thus, S works independently of the choice of y. 

Until now, we have shown that the hybrid-model adversary S can “extract” 
an input x that is equivalent to x. However, notice that S does this while essen- 

^ We assume without loss of generality that the first message in p is sent by P 2 . 
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tially running an on-line execution of p with party P\. (Of course, the interaction 
is actually of 7 r-messages with P2- Nevertheless, P2 just plays Pi’s role in p for 
this interaction, so this makes no difference.) This means that S could actually 
be used by an adversary who has corrupted P2 and wishes to extract the honest 
Pi’s input, or one equivalent to it. Since / is not completely revealing, this is a 
contradiction to the security of p. We proceed to formally prove this. 

A different scenario: We now change scenarios and consider a single execution of 
p with an honest party Pi who has input x Gr X, and a real-model adversary 
who controls a corrupted P2 . The strategy of is to internally invoke the hybrid- 
model adversary 5 , and perfectly emulate for it the hybrid-model execution of 
7 T with ideal calls to /. Adversary A' needs to emulate the trusted party for the 
ideal call to / that is made by 5 , as well as the 7 r-messages that S expects to 
receive. Notice that in the setting of a hybrid-model execution of tt, these tt- 
messages are sent by P2 . However, they are exactly the messages that an honest 
Pi would send in a single real- model execution of p, with input x. Therefore, A' 
forwards S the messages that it receives from Pi in its real execution of p, as if 
S received them from P2 in a hybrid-model execution of tt. Likewise, messages 
from S are sent externally to Pi. At some stage of the emulation, S must send 
a value x to the trusted party. A' obtains this i, outputs it and halts. 

The view of S in this emulation by A' (until A' halts) is identical to its view 
in a hybrid-model execution of tt. Therefore, by the above observation regarding 
S, it holds that x must be such that for every y gY, /2(i, y) = f2{x, y), except 
with negligible probability. That is, in a single real execution of p between an 
honest Pi and an adversary A' controlling P2, we have that A' outputs a value 
X that is equivalent to Pi’s input x (except with negligible probability). 

It remains to show that in an ideal execution of /, for every ideal-model 
simulator S' controlling P2, the probability that S' outputs a value x that is 
equivalent to Pi’s input x is less than 1 — l/p(n), for some polynomial p(-). 
This suffices because the real-model adversary A' does output such an i; this 
therefore proves that there does not exist a simulator for A' , in contradiction to 
the (stand-alone) security of p. Now, in an ideal execution. S' sends some input 
y to the trusted party and receives back f2{x, y). Furthermore, S' sends y before 
receiving any information about x. Therefore, we can view the ideal execution as 
one where S' first sends some y to the trusted party and then Pi’s input x Gr X 
is chosen uniformly from X. Now, since /2 is not completely revealing, we have 
that for every y G Y, there exist two non-equivalent inputs a:i,a;2 G X such 
that f2{x\,y) = f2{x2,y)- Since x Gr X, we have that with probability 2 /|A|, 
party Pi’s input x is in the set {xi,X2}- Thus, with probability 2 /|A|, party P2’s 
output (and so the value received by S') is f2{xi,y) = f2{x2,y)- Given that this 
event occurred, S can output a value that is equivalent to x with probability at 
most 1 / 2 . (Recall that X\ and X2 are not equivalent. Therefore, S' cannot output 
a value that is equivalent to both x\ and X2- Furthermore, the probability that 
X = x\ equals the probability that x = X2- other words. S' must fail with 
probability 1/2 in this case.) We conclude that in the ideal execution. S' outputs 
a value that is not equivalent to Pi’s input with probability at least 1 /|A|. 
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Thus, the real and ideal executions can be distinguished with advantage that 
is at most negligibly smaller than 1/|X|. Since X is finite, 1/|X| is a constant 
probability and so this contradicts the security of p, completing the proof. | 
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Abstract. We consider a new model for non-interactive zero-knowledge 
where security is not based on a common reference string, but where 
prover and verifier are assumed to possess appropriately correlated se- 
cret keys. We present efficient proofs for equality of discrete logarithms 
in this model with unconditional soundness and zero-knowledge. This 
has immediate applications to non-interactive verification of undeniable 
signatures and pseudorandom function values. Another application is the 
following: a set of I servers, of which less than 1/2 are corrupt, hold shares 
of a secret integer s. A client C specifies g in some finite group G, and 
the servers want to allow the client to compute g‘ non-interactively, i.e., 
by sending information to C only once. This has immediate applications 
in threshold cryptography. Using our proof system, the problem can be 
solved as efficiently as the fastest previous solutions that either required 
interaction or had to rely on the random oracle model for a proof of 
security. The price we pay is the need to establish the secret key mate- 
rial once and for all. We present an alternative solution to the problem 
that is also non-interactive and where clients need no secret keys. This 
comes at the expense of more communication and the assumption that 
less than Z/3 of the servers are corrupt. 



1 Introduction 

In a zero-knowledge proof system, a prover convinces a verifier via an interac- 
tive protocol that some statement is true, i.e., a given word x is in some given 
language L. The verifier must learn nothing beyond the fact that the assertion is 
valid. Zero-knowledge is an extremely useful notion and has found innumerable 
applications. Many variants of the model have been studied, in particular vari- 
ants where some extra resource is assumed to be available. In some cases, this 
allows to construct zero-knowledge proofs more efficiently than in the standard 
model, e.g., in terms of round or communication complexity. For instance, in 
the well known model of non-interactive zero- knowledge, prover and verifier are 
assumed to have access to a common random reference string a. This allows the 
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prover to prove his statement x G L simply by computing a single string tt and 
send it to the verifier, who can check it against a. 

In this paper, we propose a new non-interactive variant, where there is no 
common random string (we do include a public string in our model for conve- 
nience, but this is not essential). The new ingredient is that prover and verifier 
are assumed to have secret keys skp, respectively sky- These are assumed to 
be chosen with some appropriate joint distribution depending on the language 
in question. The prover proves that x G L hy computing a proof tt from x, skp 
and some private information related to x. When tt is sent to the verifier, he can 
check it against x and sky- 

Intuitively, the prover is prevented from cheating because he doesn’t know 
sky, and so does not know “how” the verifier will check the proof. On the other 
hand, although skp and sky must be correlated in a particular way, sky taken 
by itself has a distribution that is easy to simulate from scratch. Furthermore, 
we arrange it such that given sky and x G L, the proof tt that the prover would 
give is easy to compute, thus allowing the verifier’s entire view to be simulated 
efficiently. 

Our motivation for introducing this model is an efficient example we present 
allowing non-interactive proofs of statements related to discrete logarithms. We 
give here an informal presentation of the idea, which will be formalized later in 
the paper. 

Let us assume that we have given a finite group G of prime order q, and that 
P has a secret number s G Zg. Now, skp is a random element y G Zg, while 
sky is a pair a, (3 where a is random in Zg while (3 = as + y. We discuss later 
how such keys can be set up. Note that sky is independent of s. The purpose of 
the proof system is to allow P to prove that g,h G G satisfy = h, whenever 
this is the case. To understand how skp, sky help to do this, think of s as a 
message, y as an authentication code, and a, /? as a verification key. Indeed, if P 
were to reveal s,y, then V could check that s was in fact the value fixed at key 
set-up time by verifying P = as + y. It is easy to see that to cheat, the prover 
would have to guess a. Now, since the verification is done by taking a linear 
combination of s, y we can instead do the check “in the exponent” when we are 
given g‘‘ instead of s. So given g,h = g®, P sends as proof tt = g^, and V checks 
that g^ = /i“7T. Informally, this is zero-knowledge, since given g, h, sky, V can 
easily compute what tt should be. 

So the proof consists of sending one group element and requires one expo- 
nentiation to compute and at most two for verification. Later, we generalize the 
idea to arbitrary finite groups, where P, V do not even need to know the order 
of G. An important fact from a practical point of view is that neither the prover 
nor the verifier need random coins: security of the proof system relies only on the 
randomness involved in choosing the keys. Since obtaining random bits securely 
“on the fly” can be difficult, it is interesting to be able to push the need for 
randomness to a set-up phase. 

We mention that the hash proof systems of Cramer and Shoup [1] are also a 
special case of our model where skp is empty. The most well-known example of 
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hash proof systems also relate to equality of discrete logarithms: given generators 
go,9i of prime order group G, the prover can show for given ho, hi that ho = 
g'o,hi = g®. Here, sky consists of two random integers a, b, and the prover must 
know gog\ to compute the proof. Thus, hash proof systems allow proving equality 
of discrete logs, assuming that the “base elements” go,gi are fixed. 

Our proof system instead fixes the exponent, and allows the base to vary 
without changing the keys. This dramatically expands the range of possible 
applications, as we shall see. We emphasize that all our applications must of 
course assume that correctly chosen secret keys are set up for all would-be provers 
and verifiers before use. This can always be established by trusted parties, or 
by secure two-party or multiparty computation. For our main example proof 
system, we give an efficient key set-up protocol later in the paper. This protocol 
only involves the prover and verifier, it is constant round and has communication 
complexity 0{k) bits, where k is the security parameter. 

An obvious application is to do non-interactive confirmation of undeniable 
signatures, when using Chaum’s original scheme [2], or the convertible scheme of 
Rabin et al[9]. This is immediate because these schemes produce signatures by 
computing a group element from the input message and raising this to a fixed se- 
cret exponent. A further application is to verify outputs from the pseudo-random 
functions of Naor and Reingold[ll]. A secret key for their construction consists 
of a set of fixed exponents, and one evaluates the function by raising a fixed 
element in a prime order group to a sequence of exponenents determined by the 
input. Using Nielsen’s variant of this construction[12], it is safe to reveal the in- 
termediate results. Each of these can be sent along with the function value and 
verified non-interactively using our proof system. This gives a functionality sim- 
ilar to verifiable pseudorandom functions, but the construction is conceptually 
simpler and more efficient than known constructions. 

A final application is the following: a set of I servers, of which less than 1/2 
are corrupt, hold shares of a secret integer d. A client C specifies g in some 
finite Abelian group G, and the servers want to allow the client to compute 
g^ non-interactively, i.e., by sending information to C only once and with no 
communication between servers. This has immediate connections to threshold 
cryptography, and can be applied directly to distributed El-Gamal and RSA. 
Using our proof system, the problem can be solved as efficiently as the fastest 
previous solutions that either required interaction or had to rely on the random 
oracle model for a proof of security. The price we pay is, as mentioned, the need 
to establish the secret key material once and for all. Some variants are possible, 
however: a client without secret keys can still use the system, at the expense of 
an extra round of communication. Or he can do a key set-up protocol once and 
for all with the servers, and then use the system non-interactively. 

A different type of “trade-off” is also possible. We present an alternative 
solution to the problem, which is not directly based on secret-key zero-knowledge, 
but uses a related technique. It is also non-interactive and needs no secret keys for 
clients. This comes at the expense of more communication and the assumption 
that less than l/?> of the servers are corrupt. 
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2 Secret-Key Zero-Knowlegde 

Our model involves the following ingredients: interactive Turing Machines V, V 
(Prover and Verifier) and the Key generator a PPT algorithm Q. In addition a 
(possibly infinite) set of strings PK. 

In the model, we play initially a game where the language in which mem- 
bership is to be proved is fixed, and where keys are set up: V,V get as input 
pk G PK and 1^ where A: is a security parameter. Then P outputs strings s, inpp 
and V outputs string inpy. Then Q is run on input l'^,pk, s, inpp, inpv, and will 
output two strings skp, sky which will later be given to V, V, respectively. 

The meaning of this is as follows: each pair s,pk, where pk G PK, defines 
a language Lg^pk, that is, we assume there is a polynomial time algorithm that 
decides if x G Lg^pk, when given s,pk as additional input. One can think of pk 
as a public key chosen once and for all, and s as a secret piece of information 
that the prover is committed to after the key set-up phase. Our model captures 
this by having P give s to G initially. Because the prover is committed to s, the 
language Lg pk is well defined, even though V gets no information initially on s. 
For instance, pk might specify a finite group, and s could be a secret discrete 
logarithm. 

G models a protocol or a trusted party that will set up secret keys for V,V 
which will help P in convincing V about membership in Lg^pk- The strings 
inppjinpv allow us to model the influence that P or V are allowed on the 
keys produced. 

Now, from inputs s, skp,pk and x G Ts.pfc the prover computes output string 
P(x, s,pk, skp). This can be thought of as a non-interactive zero-knowledge proof 
that X G Lg^pk- The verifier can from input x, a string pr (supposedly coming 
from P) and pk, sky compute as output 1 for “accept” or 0 for “reject”. We now 
have 

Definition 1. The triple (G,P,V) is said to be a secret-key zero-knowledge 
proof system for PK with error probability e(-, •) if the following conditions are 
satisfied: 

Completeness. Correct proofs produced and checked using matching keys are 
always accepted: Fix any pk G PK, and any s, skp, sky that can be pro- 
duced by honest G,P,V on input pk. Then for any x G Lg^pk, we have 
V{x,P{x, s,pk, skp),pk, sky) = 1 with probability 1. 

Soundness. Even given the secret prover information, no prover can produce t 
statements and proofs, and have any false statement accepted with probability 
better than e{pk,t): Fix any pk G PK, and for any (possibly unbounded) 
prover P* , set (s,inpp) = P*{pk). Set {skp, sky) = G{^^,s,pk,inpp,-L). 
Give skp as input to P* . Now do the following for i = l...t: P* produces a 
word Xi and a proof pr^, and recieves V’s output bit V{xi,pvi,pk,sky). We 
require that V rejects all Xi ^ Lg pk except with probability e{pk,t). 
Zero-Knowledge. The verifier’s view of the key generation and proof of any 
true statement(s) can be simulated with the correct distribution. Fix any 
pair {s,pk) (pk G PK), and consider any verifier V* . Set inpy = V*{pk), 
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and (skp,skv) = G{^'^,s,pk,-L,inpv)- Finally, for any word x € Ls^pk, run 
V{x, s,pk, skp) to obtain a proof pr. There exists a PPT simulator Ai\ such 
that the output distribution , pk, inpv) is statistically indistinguishable 

from that of sky - Moreover, there exists a PPT simulator M2 such that the 
output distribution M2{^^,pk,skv,x) is statistically indistinguishable from 
that of pr. 

Discussion: In this model, the quality of the simulation is guaranteed by in- 
creasing the security parameter k. We do not require that the soundness error 
vanishes with increasing k, but this can be achieved by generating several inde- 
pendent sets of keys for the same pair s,pk and repeating the proof system in 
parallel. However, for all the applications we are aware of, this is not necessary, 
because the application allows us to choose s,pk such that the soundness error 
is already exponentially small for all polynomial t. 

The simulator is given the public string pk and must simulate w.r.t. pk. Thus, 
unlike standard non-interactive zero-knowledge, the reason why the simulator 
can work efficiently is not that it gets to choose the public string by itself, but 
that it knows sky and can use this knowledge when simulating the proofs. 

Note that the zero-knowledge requirement implies that a cheating verifier’s 
view can be simulated, even in a case where several statements are proved after 
key generation and where the verifier can decide the order in which they are 
proved: one simply runs Mi and then M2 Si number of times using the output 
of All and the relevant statements to be proved. This works since the honest 
prover acts independently on each statement, given his secret key. 

The definition requires unconditional security for both parties. This is pos- 
sible since both players possess information that is information theoretically 
hidden from the other player. However, if G is realized via a protocol that only 
offers computational security, this will of course reduce the security of the proof 
system to computational as well. 

Our model may superficially resemble earlier proposals for “zero-knowledge 
with preprocessing” . The essential difference is that we have no restriction on 
the number of proofs that can be done based on a given key pair, while earlier 
schemes used the preprocessing phase to build resources that would eventually 
run out later. 

We proceed to present our main example of SKZK. Our set of public keys 
PK is the set of strings pk that contain (in some fixed format) a specification of 
a finite Abelian group G and natural numbers ko,ki, where the smallest prime 
factor in the order of G is larger than 2 ^°. The language Ls.pfc consists of pairs of 
elements g,h £ G such that h = g^, provided that s is an integer in — 1 ]. 

Otherwise it is empty. 

This specification reflects the fact that a bound on the size of prime factors 
in the order of G will be needed to estimate the soundness error of our proof 
system, and that it is only intended to work for values of s up to a certain limit. 

The specification of G is a string, such that if it is known, one can decide 
membership in G and compute the group operation and inverses in G efficiently 
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(poly-time in the size of the specification) . For instance, G could be a prime order 
subgroup of Z* for some prime p, or (a subgroup of) Z* for an appropriately 
chosen RSA-modulus n. 

The key generator is given s, G, fco, ki, security parameter k, and two strings 
inppjinpv that are interpreted as integers in the standard way (recall that 
these are used to model the allowed influence of (corrupt) P or R on the 
choice of keys). Test if the following conditions are satisfied: s G [0..2^i — 1], 
inpp G Qj. ippp is empty, inpy g]0..2'^o] or inpy is empty. 

If the conditions are satisfied, then set a = inpy, or if inpy is empty, choose 
a uniformly random in ]0..2^“]. Set y = inpp, or if inpp is empty, choose y 
uniformly random in [0..2*°+^i+^]. Set (3 = as + y. Finally, set skp = {s,y), 
sky = {a, (3) and output these values. 

If the conditions on s, inpp, inpy are violated, output empty strings and 
stop. 

The honest prover and verifier are assumed to always choose empty strings 
as inpp, inpy. 

From a practical point of view, this SKZK proof system can be used to allow 
a prover to get g G G as, input, send to the verifier and non-interactively 
prove that this was correctly done. The specification of Q allows that a corrupt 
P can choose s,y (in the correct intervals), but will get no information on a. A 
corrupt V can choose a as any value in the interval he likes, but he learns no 
information on s, y other than j3. The specification also allows a corrupt party to 
block the key generation, this models the fact that since we want to implement 
Q via a two-party protocol, we cannot guarantee successful termination because 
one player can just stop early. 

We proceed to describe the other algorithms: 

The prover will on input g, h where /i® = g, compute v = g^ as the proof 
(assuming skp is not empty). 

The verifier will on input g, h, v check whether g,h G G and g^ = h°‘ ■ v, and 
will accept if and only if this is the case. 

We have: 

Theorem 1. The above is a SKZK proof system for C with error probability 
t/(2'=« -t). 

Proof. Completeness is trivial by simply plugging the values produced by the 
prover into the equation checked by the verifier. For soundness, assume first 
that t = 1, that G is cyclic, and that we have h ^ g^ and some proof v. Writing 
everything as a power of a generator a of G, we have g = a^,h = a^v = aP. 
The assumption h ^ g’^ implies si — j yf 0 mod for some prime factor q in the 
order of G, where q^ is the maximal q-power dividing |G|. In order to have the 
proof accepted, the prover must arrange it such that 

/ = h°‘v 
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which means that fii = aj + m mod . Now, since key generation ensures that 
P = as + y we find that 



a{si — j) = {m — iy) mod . 



Let q^ be the maximal g-power dividing both sides of this equation. By choice 
of a, it is non-zero modulo q, so we have 



a- 



si — j m — ly 



mod g‘ 



l-b 



The assumption si — j ^ 0 mod g* implies b < 1. It follows that 



m — ly 






mod q‘ 



l-b 



in other words, to have the false g, h accepted, the prover must guess a mod q’’~^. 
However, a was randomly chosen among < g possibilities, and by the specifi- 
cation of G, the prover has no a priori information on a. So accept happens with 
probability at most If G is not cyclic, we can write G as a direct product 
of r cyclic components Gi,...,Gj. and g,h as r-tuples {gi, g^), {hi, ...,hr) in 
the standard way. If ft- yf g®, this means that hi yf g| for some i, and we can then 
use the argument above in the cyclic subgroup Gi. 

Finally we consider the case of proving several statements: if a cheating prover 
sends any correct g, ft where ft = g®, he can compute from his secret key what the 
correct proof should be, and since this is the only value the verifier will accept, 
the prover can predict the verifier’s reaction to any proof he might choose to 
send along with g, ft. 

Now consider the situation where the prover is about to compute a new 
proof, assuming that he has not yet made the verifier accept a false statement. 
By the above, the new information the prover could have learned earlier must 
come cases where a proof of a false statement was rejected. Assuming that t false 
proofs were already rejected, the prover can exclude t possible values of a, so the 
next proof will be accepted with probability at most 1 / (2^“ — t) . This implies 
the claimed error probability by an easy induction argument. 

Zero-knowledge follows since we can simulate the choice of a, P by first choos- 
ing a g] 0..2^“] based on inpy in the same way as Q would have done it. Then 
we choose at random P G [0..2*°+^i+^]. This simulates a perfectly and P with 
statistically close (in k) distribution, since in real life P = as + y and y is k bits 
longer than as. Furthermore, given correctly distributed a, P and (g, ft) G L, the 
(uniquely determined) proof that the honest prover would send is v = g^h~°‘. 



2.1 Some Variations 

From the proof of the above theorem, it is clear that we do not really need to 
fix the group G in advance. The same key set-up can be reused for any Abelian 
group, the only price to pay may be that the soundness error probability can be 
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larger: if the group has a prime factor q in its order smaller than 2*°, the error 
probability for one proof will be 9{l/q). 

A variation on this: Suppose G is a direct product G = H x K, where | 
has only primes factors > . And furthermore for some publically known 7, it 

holds that e'*' = 1 for all e G K. Then given an instance (g,h), we can use the 
original proof system on the pair (g'^ , h'^), in order to prove that g'^'^ = . For 

some applications, including threshold RSA, this is sufficient. 

Finally, we note that some generalizations are possible of the form of state- 
ment proved: suppose we have two secrets s, s' and have set up keys y, y' and 
{a, P),{a' , P') just as above, except that we have designed the key generation 
such that a = o'. It is then possible for the prover to send g,g',h and prove 
that h = g^g'" . The proof would be w = g^g'"^ and the verifier would check that 
g0g'0' = vh°‘. 

3 Key Set-Up Protocol 

Suppose now that P, V want to agree on a set of keys for the SKZK proof system 
we have described, assuming that the public string pk has already been generated 
(i.e., some group has been chosen) and P knows the secret s he will be using. 
We sketch here an efficient protocol that that securely realizes the G we specified 
earlier. 

The protocol can be proved secure in Canetti’s model for secure function 
evaluation [14], assuming a static adversary that corrupts P or V. We make no 
claims here on composability of the protocol, other than the sequential com- 
posability that follows from Canetti’s definiton. However, we believe that in the 
common reference string model and using the techniques from [7], a universally 
composable version could be designed without essential loss of efficiency. 



3.1 A First Attempt 

We first describe a solution that works if both parties follow the protocol. Sup- 
pose V chooses a key pair for a semantically secure and additively homomorphic 
public-key cryptosystem. As example we will use the one by Paillier[13]. He sends 
the public key pky to P, and also sends the encryption Epky{a) where a has 
been chosen as described in the key generation for the SKZK proof system. 

Then (assuming P knows s already) P chooses y as in the key generation for 
SKZK, uses the homomorphic property to compute an encryption Ep^v + v) 
and sends this to V. Finally, V decrypts and defines the result to be p. Of 
course, we want that P = sa + y as integers, and the Paillier cryptosystem is 
only homomorphic w.r.t. addition modulo some RSA modulus - but as long as 
the modulus is chosen large enough compared to the sizes of a, s and y, no 
modular reductions will occur, and P will be the correct value. 

Clearly, V learns nothing new except P, and a computationally bounded P 
learns nothing new, assuming he cannot break the semantic security. 
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3.2 The Real Solution 

In order to make a solution secure even against active cheating, we assume that 
we have available a public key pkc for an integer commitment scheme such as the 
one by Damgard and Fujisaki[3], allowing P or V to commit to an integer a of 
any size and prove efficiently in zero-knowledge that a belongs to some interval 
using the technique of Baudot [4]. We discuss below where pkc could come from. 

Note that this commitment scheme is homomorphic: from commitments that 
can be opened to integers a, b it is easy to compute a commitment that can be 
opened to (only) a -I- 6. It is also trapdoor, i.e., knowing a certain piece of side 
information, it is possible to produce a commitment that can be opened to any 
desired value. Notation: Compkc{x,r) denotes a commitment under public key 
pkc to X using random coins r. 

A final tool we need is the efficient method outlined in [6] allowing a party to 
make public a Paillier encryption Epky (cr) and prove that a belongs to a given 
interval. This involves making a commitment Com,pkc{oi,ra), proving that it 
contains the same value as Epky (a) and proving that a is in the correct interval 
using the technique from [4]. For details see [6]. 

Then we do the following: 

1. V sends the key pky, the encryption Epky{a) and proves in ZK that a is in 
the correct interval. 

2. P chooses s,y as in the key generation for SKZK, makes commitments 
S = Compkc{s,rs),Y = Compkc(y,ry) and proves that he knows how to 
open these commitments to integers in the correct intervals. Similarly, he 
chooses s, y as random numbers 2k bits longer than s respectively y, makes 
commitments S = Compkc(s,rg),Y = Compkfj{y,ry), and proves that s,y 
were chosen in the correct intervals. 

3. P uses the homomorphic property of the encryption scheme to compute 
encryptions Epk{as + y), Epk{as + y), and sends these to V, who decrypts 
to get results /3, respectively [3. 

4. V sends a random fc-bit challenge e. Both parties use the homomorphic prop- 
erties of the commitment scheme to compute from S,Y, S,Y commitments 
Zg, Zyto Zs = s + es, Zy = y + ey. P opens Zg, Zy to reveal Zg, Zy to V . 

5. V checks that the openings were correct, and that (3 + e(3 = aZg + Zy. If so, 
he accepts using a,f3 as keys to check proofs from P in the future. Output 
for P is s, y. 

Given an oracle that supplies pkc, this protocol can be proved to securely 
realize G as specified above in Canetti’s model for secure function evaluation [14], 
assuming a static adversary that corrupts P or V. Due to space limitaitons, we 
only give informally the essential ideas needed for this: 

By inspection, it is trivial to check that V always accepts if both parties 
follow the protocol, and that the outputs generated have the same distribution 
as G would have produced. 

If a party is corrupt, we need to describe a simulator that interacts one one 
side with the corrupt player and on the other side with the “ideal function” G 
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as specified above. It must create a view for the corrupt player that is indistin- 
guishable from the real conversation, and at the same time interact with Q on 
behalf of the corrupted player. The induced input /output behavior of G must be 
consistent with the view generated for the corrupted player. In general, if this 
game comes to a point where the corrupt player would make the honest player 
reject and stop, the simulator handles this by sending an illegal value as input 
to Q. This causes Q to stop without generating output, which is consistent with 
what happens in real life. 

Now, assume P is honest and V may actively cheat. The simulator can use 
rewinding to extract a from the ZK proof of knowledge given in Step 1 and give 
this to G as inpv ■ Note that it happens with only negligible probability that a is 
an illegal value simultaneously with the proof being accepted. So we may assume 
that a is in the correct interval, and and G will return f3 to the simulator. From 
the protocol description, it then follows that /3, /3 have distribution statistically 
close to that of y,y, i.e., uniform and independent. In particular, they convey 
only negligible information on s. It follows that Zs has distribution statistically 
close to that of s, i.e., uniform and independent from y,y. Finally, Zy always 
satisfies (3 + e(3 = azg + Zy. It follows that the opened values V sees in the 
protocol can be simulated with statistically close distribution by choosing f3, Zg 
uniformly and independently with the same distribution as y,y,s and setting 
Zy = /3 + eP — aZs- So if the simulator knows the trapdoor for pkc, it can 
simulate efficiently y’s view of the protocol given only pk,pkc- 

Then, assume that V is honest. P’s view of Step 1 can be simulated by sup- 
plying a random encryption and commitment and simulating the zero-knowledge 
proof to be given. Step 2 forces P to choose values s,y,s,y in the correct inter- 
vals, and these values can be extracted by a simulator using the ZK proofs of 
knowledge given in Step 2, and s, y can be given as input to G- Note that in the 
following steps, P learns no new information, the simulator can just play the 
game following K’s part of the protocol. Hence, the only remaining question is 
whether the protocol ensures that P = as + y. The probability that the protocol 
completes successfully while this condition is violated must be negligible since 
otherwise it will not be consistent with what the ideal G produces. We argue 
that if P ^ as + y, then V accepts with negligible probability. For this, it is suffi- 
cient to show that if in Step 4, P can give satisfying answers to a non-negligible 
fraction of the possible challenges, then P = as + y. Under this assumption, by 
rewinding P, we can efficiently obtain acceptable replies to two distinct values 
e, e'. Because V accepts in both cases, P has opened values Zg, Zy, z'g, z'y such 
that 

P + eP = azg + Zy p + e P = az'g. P z'y 
from which we conclude that 

(e - e')P = a{zg - z') + Zy - z'y 

Now, by the binding property of the commitment scheme, except with negligible 
probability, it holds that Zg = s + es, Zy = y + ey, z'g = s + e's, z'y = y + e'y. 
Plugging this in, we immediately obtain P = as + y as desired. 
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On efficiency, it is straightforward to check by inspection of the above and [4, 
6,3] that the protocol requires communicating only a constant number of encryp- 
tions and commitments, and can be executed in a constant number of rounds. 

Finally, we discuss how to set up the key pkc- This key consists of an RSA 
modulus n and two elements go, ho € Z* with only “large” prime factors in 
their order, and such that ho is in the group generated by go- Fortunately, in 
our main application, namely threshold RSA, an RSA modulus n is already 
available. Therefore the key set-up will work, assuming that elements go, ho have 
been chosen once and for all. It requires only little effort to do this at the time 
when n is set up. For instance, if n is a product of safe primes, simply choosing 
go, ho as random squares will be correct, except with negligible probability. 

Another possibility consists in letting P choose a public key w.r.t. which V 
can commit, and vice versa. Two-party protocols for setting up a key in this way 
are described in detail in [3]. Compared to the previous solution, this costs a 
factor of k in round- and communication complexity, but does not assume any 
previous key set-up at all. 

4 Applications 

4.1 Undeniable Signatures 

In the original scheme for undeniable signatures by Chaum [2], the public key 
is a safe prime p, i.e., such that {p — l)/2 = q is also a prime, and elements 
g,h G Zp, where s, such that h = g^ modp is the private key. A signature on 
message m is h{mY , where h is some appropriate hash function that maps into 
Z*. Signatures seem to hard to forge under the Diffie-Hellman assumption, but 
furthermore the idea is that it is hard to verify a signature unless the signer is 
willing to help you, by engaging in a protocol where he proves that the discrete 
log of h base g equals that of z base h{m) where z is the purported signature. 
This is called a confirmation protocol. 

Clearly, our proof system can be directly used to build a non-interactive 
confirmation protocol for this scheme, which was not known before, except in the 
random oracle model. Furthermore, it also applies to the convertible scheme of 
Rabin et al. [9], since this scheme is essentially the same but where Z* is replaced 
by Z*, where n is a safe prime product. The idea being that by revealing the 
“public exponent” corresponding to s, all signatures can be instantly converted 
to ordinary signtures. Some minor technical problems, related to the fact that 
the order of Z* contains a small prime factor 2, are handled in [9], and their 
solutions to this translate easily to our case. 

4.2 Pseudorandom Functions 

In [II], Naor and Reingold present a pseudorandom function construction based 
on the DDH assumption. The construction takes place in the same group Z* 
mentioned above. This has proved a very useful idea for making efficient pro- 
tocols, for instance, Nielsen [12] describes a variant that can also be computed 
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in a threshold fashion, and shows how this can be used to build efficient asyn- 
chronous Byzantine agreement protocols and threshold RSA signatures without 
random oracles. 

The variant from [12] has a private key k consisting of I pairs of random 
elements from Zq, (ai_o, ^in), (a/,07 cr/,i)- Also, a random public g € Z* of 

order q is given. The function can take any string cr = (cti, .., am) where m < I 
as input, and the output is 



Clearly, our proof system can be used to set up key pairs allowing the party who 
knows the private key k to prove that some element in the subgroup of order q 
has been raised to powers otj,b,j = 1-d, 6 = 0, 1, respectively. 

This leads to a way to non-interactively verify values of fk when evaluated 
on strings of length precisely 1. Namely, on input a = (cti, ..., ct/), send 










plus a proof that the j element on the list is the previous one raised to 
Note that the first elements on the list are fk evaluated on substrings of a, 
so it is secure to reveal these by pseudorandomness of fkQ- Some applications 
allow to evaluate the function on consecutive values 0, 1, 00, 01, 10, 11, 000, .., or 
in general such that we never evaluate the function on an input that is a prefix 
on a previously calculated value. In this case, is secure to use the domain of all 
strings of length at most 1. With consequtive values, one can exploit the fact 
that most of the required list of function values needed to verify a new one are 
already known, so only a single new value and proof needs to be sent. 

This gives a functionality similar to that of verifiable pseudorandom functions 
(VRF), as proposed by Micali, Rabin and Vadhan[10], although of course at 
the expense of having to set up keys for our proof system first. With a VRF, 
one can simply publish a public key and then send function values and non- 
interactive proofs of correctness. However, VRF’s are only known to exist under 
the strong RSA assumption, or under various strong and non-standard variants 
of the DH/DDH assumptions [5,8]. Moreover, most of these solutions are rather 
complicated and inefficient - with the exception of [8]. An alternative to the 
VRF concept would be to commit on the key and use standard non-interactive 
zero- knowledge to prove that the funcion value is correct, but this would be very 
inefficient. In contrast, our technique allows us to assume only standard DDH 
and have a reasonably efficient and conceptually simple solution. 

It is easy to adapt our technique also to the threshold pseudorandom function 
from Nielsen[12]. This gives a non-interactive solution with a smaller communi- 
cation complexity than the interactive protocol from [12]. 



5 Non-interactive Verifiable Exponentiation 

We consider the following problem: a set of I servers, of which t are corrupt, hold 
shares of a secret integer d. A client C specifies g in some finite Abelian group 
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G, and the servers want to allow the client to compute g’^ non-interactively, i.e., 
by sending information to C only once and with no communication between 
servers. This has immediate connections to threshold cryptography, and can be 
applied directly to distributed El-Gamal and RSA. Below, we two solutions with 
different properties. 

5.1 Using Secret-Key Zero- Knowledge 

To illustrate how we can use secret-key zero-knowledge in this context, the easiest 
way is to consider Shoups threshold RSA scheme [15], where indeed the purpose is 
to do non-interactive verifiable exponentiation in the group Z*, where n = pq is 
a product of safe primes, and where we assume that t < 1/2. To make this scheme 
robust (verifiable) , each server Si needs to prove that a given input number was 
raised to a secret share Si (of the private RSA exponent) held by Si . By squaring 
the inputs, Shoup makes sure that this proof can be done assuming we work in 
a group with only large prime factors in its order. It is therefore clear that our 
proof system can be directly plugged in, instead of the random oracle based 
proofs that were used in [15]. This will even be more efficient by a constant 
factor. 

Of course, this can only used directly assuming there are keys set up for proofs 
going from each server to the client. But we can also do something assuming the 
client has no keys, but we have keys for pairwise interaction between the servers. 
Namely, the clients requests from each server a signature share (g®* mod n) and 
proofs of correctness for this share, directed to each of the other servers. Then 
the client sends these signature shares and proofs back to the severs for approval. 
He will only keep those signature shares that were approved by a majority of 
the servers. By soundness of the proofs, this will leave the client with at least 
t -I- 1 shares, all of which are correct, and this is sufficient to find g'^ mod n. 

5.2 An Alternative without Secret Key Zero-Knowledge 

The following solution is non-interactive and does not require the client to have 
any secret keys. This comes at the price of more communication and assuming 
t < 1/3. For simplicity, we work over a group Gq of prime order q, and the secret 
value d is an element of Zq. 

Consider first a situation where some server S knows a secret value d, and 
where the other I — 1 servers Sr have correct shares Sr in d, according to Shamir’s 
scheme. S also knows the polynomial F{X) = d + diX -!-■•• + dtX* according 
to which d was shared. Write Sr = F{r). 

Here is a simple protocol where the client G can easily check whether the 
value h he receives from S is indeed equal to g^^, with g G Gq specified by 
the client. There is no interaction between the servers. Each of the servers just 
sends some information to C, and C performs an off-line check on the total of 
this information to decide on the correctness of h. The protocol has zero error 
probability, while G learns only the value g‘^ . 
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S sends the value h to C, equal to g'^ if S is honest. Additionally, S sends 
the values hj, equal to if S is honest. Each other server Sr sends the value 
fr to C, equal to g^^ if Sr is honest. 

From the information sent by S and by performing “polynomial evaluation 
in the exponent,” C now computes the values /', equal to t/®’’ if S is honest. 
Concretely, C computes 

= (1) 
In the case that there are at most t inconsistencies 

fr ^ fr, 

C decides that h = g'^ indeed. Otherwise he decides that S is corrupt. 

It is easy to see that this works. First, consider the case that S is honest. This 
implies that h and the hj are correct. If Sr is honest as well, then clearly fr = fr- 
Up to t of the servers Sr are corrupt, so there are at most t inconsistencies 
fr ^ fr- Thus, C makes the correct decision. 

Second, if S is corrupt and h g^^, then there are more than t inconsisten- 
cies and C correctly decides that S is corrupt. This is argued as follows. The 
information sent by S does define, in “the exponents,” a polynomial of degree 
at most t. However, since log^ h d hy assumption, it must be a different one 
from F(X). By Lagrange interpolation and the natural one-to-one correspon- 
dence between Zq and Gq, it follows that at most t of the I — 1 values /' equal 
g^'~. Equivalently, /' f/®’’ for at least (/ — 1 — t) values of r. However, apart 

from S, there may be t — 1 other corrupt servers Sr- Therefore, fr yf fr for at 
least {I — 1 — t) — {t — 1) = I — 2t values of r. But t < 1/3, so this means that 
there are more than t inconsistencies, and that C decides that S is corrupt. 

Finally, we argue that a static adversary who corrupts C and at most t 
servers (but not S) will not learn nothing except g'^ . We do this by simulating 
his entire view given this value. From corrupting t servers the adversary will learn 
Sr, for t values of r. Suppose without loss of generality that these are Si, ..., St- 
This can be simulated perfectly by choosing t uniformly random values modulo 
q. These values together with d define a polynomial F{/) of degree < t where 
F(0) = d,F{l) = §i,...,F{t) = St- Since we have t -I- 1 values of F{), it follows 
that for any coefficient dj of F{), there exists Lagrange interpolation coefficients 
7 o , . . . , 7 t such that 

i 

gdy ^ ^gdyo 

and this value can easily be computed given g‘^ , Si, ..., St, i.e., we can simulate 
perfectly the extra information sent by S. Finally, we can use these values to 
simulate the contribution from honest Sr's using (1). 

Now we return to the scenario of interest, non-interactive verifiable exponen- 
tiation. Each of the I servers Si has a share Si of d, according to Shamir’s scheme 
with t < 1/3. Let g £ Gq he the element specified by the client G. 
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Additionally we now assume that, for each server Si, an instance of the above 
verification protocol has been correctly set up, where Si plays the role of S, the 
other servers play the roles of the Sr, and d is replaced by s^. 

If we now run the verification protocol above for each server Si, the client 
C can easily filter out an incorrect value sent by a corrupt Si, and remain with 
at least I — t > t correct values By “interpolation in the exponent,” i.e., 
multiplying these correct values together, raised to appropriate Lagrange 
interpolation coefficients, C recovers the correct value g'^ . 
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Abstract. Secure computation is one of the most fundamental crypto- 
graphic tasks. It is known that all functions can be computed securely 
in the information theoretic setting, given access to a black box for some 
complete function such as AND. However, without such a black box, not 
all functions can be securely computed. This gives rise to two types of 
functions, those that can be computed without a black box ( “easy” ) and 
those that cannot (“hard”). However, no further distinction among the 
hard functions is made. 

In this paper, we take a quantitative approach, associating with each 
function / the minimal number of calls to the black box that are required 
for securely computing /. Such an approach was taken before, mostly 
in an ad-hoc manner, for specific functions / of interest. We propose 
a systematic study, towards a general characterization of the hierarchy 
according to the number of black-box calls. This approach leads to a 
better understanding of the inherent complexity for securely computing 
a given function /. Furthermore, minimizing the number of calls to the 
black box can lead to more efficient protocols when the calls to the black 
box are replaced by a secure protocol. 

We take a first step in this study, by considering the two-party, honest- 
but-curious, information-theoretic case. For this setting, we provide a 
complete characterization for deterministic protocols. We explore the hi- 
erarchy for randomized protocols as well, giving upper and lower bounds, 
and comparing it to the deterministic hierarchy. We show that for every 
Boolean function the largest gap between randomized and deterministic 
protocols is at most exponential, and there are functions which exhibit 
such a gap. 



1 Introduction 

The ability to compute functions securely is one of the most fundamental cryp- 
tographic tasks. Very roughly, two-party secure computation (on which we focus 
in this paper) involves two parties, Alice and Bob, who want to perform some 
computation on their inputs without leaking any additional information which 
does not follow from the intended output. 

It is known (c.f. [4,9,10,22]) that not all functions can be computed securely 
in the information-theoretic setting. However, Goldreich and Vainish [16] and 
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Kilian [18] proved that every function can be computed securely in the informa- 
tion theoretic setting, given a black box that computes some complete function, 
such as Oblivious Transfer or the AND function. This type of a reduction is 
useful, because the security of the protocol is automatically maintained (com- 
putationally) when the black box is replaced by any computationally secure im- 
plementation of the function (such implementations exist under computational 
assumptions).^ Moreover, such reductions provide a qualitative separation be- 
tween “easy” functions that can be securely computed without calling the black 
box, and the “hard” functions which are the rest. Indeed, the notion of a re- 
duction plays a central role at the heart of cryptographic foundations research 
(similarly to its central role in complexity theory). For example, black-box re- 
ductions between different cryptographic primitives were given in [6,11,12,19,7, 
5,13,21]. 

A long line of research has focused on studying, in various settings, which 
functions belong to the “easy” category above, and which are “hard”, as well 
as studying which functions are complete (which in some cases turned out to 
be the same as all hard functions). In particular, these questions have been 
answered (with full characterization) for Boolean functions [10], in the two-party 
model [22,1,3], and completeness results appear in [19,21,3,20]. However, these 
works do not give rise to a hierarchy of different degrees of hardness, as they 
do not distinguish among the different functions that can be computed with a 
specific complete (say AND) black box. 

Such a hierarchy exists (for the information-theoretic reduction setting), by a 
result of Beaver [2] , showing that for all k, there are functions that can be securely 
computed with k executions of the AND black box but cannot be computed with 
k — 1 executions of the black box. We explore the hierarchy in this work. 

Our Goals. In this paper, we propose to take a quantitative approach, classify- 
ing functions by how many calls to the black box are required to compute them 
securely. Minimizing the number of calls to the black box is especially desired 
as it can lead to more efficient protocols when the calls to the black box are 
replaced by a secure protocol. This problem was previously investigated in an 
ad-hoc manner, for specific functions of interest (e.g., different forms of OT). In 
most cases, only upper bounds on the number of calls were given. Two exceptions 
are Beaver [2] who proved that securely computing n outputs of (^) OT with un- 
related inputs requires at least n calls to (^)OT, and Dodis and Micali [14] who 
proved that securely computing (”)OT requires at least n — 1 calls to ( 2 )OT 
(see also [24]). 

We propose a systematic study of the quantitative approach to reductions 
in secure computation, towards a deeper understanding of the inherent com- 
plexity of securely computing functions. In particular, focusing for the sake of 
presentation on the AND black box, we ask the following questions: 

— Is there a well-defined rich hierarchy of functions based on how many ANDs 

are required to securely compute them? 

^ In this paper we consider the honest-but-curious model where modular composition 
is fairly straightforward. In the malicious model modular composition holds as well. 
See [8] for definitions and results on modular composition in the malicious model. 
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— Given a function, can we give upper bounds on how many ANDs suffice to 
securely compute it? Can we give lower bounds? 

— Can we give a combinatorial characterization of the functions with a certain 
minimal number of ANDs? 

These problems are interesting in several settings. For the first problem, 
Beaver [2] provided a negative answer (the hierarchy collapses) in the compu- 
tational setting, and a positive answer in the information theoretic setting, for 
randomized protocols (and for randomized functions, as well). Recently, Ishai et 
al. [17] proved that the hierarchy collapses in the random oracle model as well. 

We note that by results of [16], lower bounds on the number of ANDs imply 
circuit lower bounds, meaning that it would be very hard to prove super-linear 
lower bounds in n for functions of the form / : {0,1}" x {0,1}" ^ {0,1}. 
However, it would be very interesting to prove such linear lower bounds and to 
try to explore tighter connections with circuit complexity and communication 
complexity^ of the functions. 

Our Results. We start the investigation by studying the information-theoretic, 
two-party, honest-but-curious setting, where the output of the AND black box is 
received only by Alice. Unless otherwise noted, we also consider protocols with 
perfect correctness and security. For this setting we prove the following results: 
Deterministic Protocols. For deterministic protocols are we show: 

— A complete combinatorial characterization of the minimal number of ANDs 
required to securely compute / (the characterization is a recursive one, based 
on the truth-table of /). 

For finite functions one can find the optimal protocol using our characterization. 
However, in general, our characterization does not lead to an efficient algorithm 
that determines how many ANDs are required to compute a function securely. 
This motivates the following results: 

— A simple, explicit upper bound on the number of ANDs required for /. This 
upper bound may be exponential in the size of the input. 

— For Boolean functions / we prove that the above upper bound is tight by 
showing a matching lower bound. This implies that for some functions, an 
exponential number of ANDs is necessary. 

Randomized Protocols. For randomized protocols are we show: 

— An exponential gap using randomization: There are functions for which the 
number of ANDs required in a randomized protocol is exponentially smaller 
than the number of ANDs required in a deterministic protocol. We further 
exhibit a tradeoff between the number of random bits used and the number 
of ANDs required for one such example (Inner Product) where there is an 
exponential gap. 

^ Naor and Nissim [25] give some connections between the communication complexity 
of a function and the communication complexity for securely computing the function. 
However, translating them into our model, the number of ANDs is exponential in 
the communication complexity. 
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~ A lower bound: We prove a lower bound, depending on the function truth- 
table, on the number of ANDs required by any secure randomized protocol. 
Using this lower bound, we prove that for Boolean functions the gap cannot 
be super exponential: For any randomized protocol with q ANDs, there is a 
deterministic protocol for the same function with at most 2* ANDs. 

— Gap already with 4 ANDS: There is a function that can be securely com- 
puted by a randomized protocol with 4 ANDs, however, every deterministic 
protocol securely computing it requires at least 6 ANDs. 

— No gap with 1 AND: The functions that can be securely computed with one 
call to the AND black box are the same as in the deterministic case with 
one AND (for which an explicit characterization is given). 

— Gap between perfect and non-perfect protocols: There are functions that 
require at least a linear (in the input length) number of ANDs for any perfect 
(randomized) protocol, but can be computed with k ANDs (for any k), 
achieving a protocol with 1/2^ probability of error and statistical distance. 

— Lower bound for non-perfect protocols: We show that the one-way random- 
ized communication complexity in the shared-randomness model is a lower 
bound for the number of ANDs required by non-perfect protocols. 

Extensions to Other Models and Complete Functions. As explained 
earlier, we choose the simplest model of secure computation to consider our 
quantitative approach. Some of our results carry over directly to other models, 
and some questions still remain open in the other models. We hope that our paper 
would be a starting point for further research which will clarify the situation in 
more complex models as multi-party protocols, and the protocols that are secure 
against malicious parties. 

Specifically, only Alice gets the output of the function while Bob should 
not learn any information on the input of Alice. This one-sided model is the 
correct model when considering malicious two-party secure computation where 
the first party to get the output can quit the protocol preventing the other party 
from getting the output. In the honest-but-curious model, the one-sidedness of 
the output is not the only possibility; we choose it since we want the simplest 
model. Some results on the two-sided model, where Alice gets an output 
and Bob gets an output f^°^, appear in the full version of this paper. 

Furthermore, we state all our results counting the number of ANDs needed. 
However, every finite function (a function with a constant number of inputs) can 
be computed securely using a constant number of ANDs, and the AND function 
can be computed with one call to any complete function (this is implied by results 
of [3]). So, the results of this paper carry to every finite complete function, up 
to a constant factor. For example, the (^)OT function can be computed securely 
with two ANDs. Thus, all lower bounds on the number of ANDs translate into 
the same lower bounds on the number of ( 2 )OT up-to a factor of 2. 

Circuit Complexity vs. Number of ANDs in Secure Computation. As 
explained above the circuit complexity of a function / : {0, 1}" x {0, 1}” — >■ {0, 1} 
provides an upper bound on the number of ANDs required for secure computa- 
tion of / by a randomized protocol. It might seem tempting to think that the 
circuit complexity characterizes the number of ANDs. However, this is not true. 
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There are functions with high circuit complexity which require few or no ANDs. 
For example, / can be a function only of Alice’s input with high circuit com- 
plexity which Alice can compute securely without any communication or calls to 
the AND black box. Furthermore, our results show that circuit complexity does 
not characterizes the number of ANDs required to securely compute a function 
by a deterministic protocol (this number of ANDs can be larger or smaller than 
the circuit complexity). 

2 Preliminaries 

In this section we define one-sided information-theoretic secure two-party com- 
putation in the honest-but-curios model. In our definition we allow the parties 
to execute a black box to a pre-defined function. 

Protocols. We consider a two-party protocol with a pair of parties (Turing 
Machines), Alice and Bob. They have an access to a black box BB which com- 
putes some function BB : x £>2 — >■ D^. Briefly, on inputs (x,y), where x 

is a private input for Alice and y a private input for Bob, and random inputs 
(r^, rg), where is a private random tape for Alice and rg is a private random 
tape for Bob, protocol (Alice, Bob) computes its output in a sequence of rounds 
of three types: Alice’s rounds, Bob’s rounds, and black-box rounds. In an Alice’s 
round (respectively, Bob’s round) only Alice (respectively, only Bob) is active 
and sends a message (i.e., a string) that will become an available input to Bob 
(respectively, to Alice) in the next round. In a black-box round Alice puts a 
value a G Di to a register and Bob puts a value 5 G Z ?2 to a register. In the end 
of this round Alice gets the value BB(a, 6) in a third register, and Bob gets no 
information. A computation of Alice and Bob ends in a round in which Alice 
computes a private output. In this paper we focus on an AND black box, where 
AND: {0, 1} X {0, 1} ^ {0, 1} and AND(a, b) = aAb. 

Transcripts, Views, and Outputs. Letting E be an execution of protocol 
(Alice, Bob) on inputs (x, y) and random inputs {rA, rg), we make the following 
definitions: 

— The transcript of E consists of the sequence of messages exchanged by Alice 
and Bob, and is denoted by TRANS(x, r^, 2 /, rs); 

— The black-box outputs of E consists of the outputs of the black box during 
the execution of the protocol, and is denoted by BLACK-BOX(a;, xa, y, rg); 

— The view of Alice consists of the quadruplet 

{x, XA, TRANS(a;, xa, y, rs), BLACK-BOX(x, va, y, rg)), 

and is denoted by VIEWAUce(a;, 2/, i"s); 

— The view of Bob consists of ( 2 /, r^, TRANS(a;, r^, 2/j ^s))) and is denoted by 
VIEWBob(a;, va, y, rg). 

We consider the random variables TRANS(a:, •, 2 /, r^), TRANS(x, r^, 2/j •)? 
and TRANS(x, •, 22 , -)j respectively obtained by randomly selecting xa, rg, or 
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both, and then outputting TRANS(x, j/, rs). We also consider the similarly 
defined random variables for VIEW Alice and VIEWsob- 

In the model we consider, the two-party honest-but-curious model, each party 
is curious, that is, it may try to deduce as much information possible from its 
own view of an execution about the other’s private input. However, each party 
is honest, that is, it scrupulously follows the instructions of the protocol. In such 
conditions, it is easy to enforce the correctness condition (for securely computing 
a function /), but not necessarily the privacy conditions. Note that, unlike secure 
computation in the malicious model, in the honest-but-curious model we can 
separate the security requirement into two separate requirements: correctness 
and privacy. 

In the following definition we consider partial functions f : Ax B ^ CUl*}, 
where A, B and C are some finite sets and * ^ C. If f{x,y) = * then we say 
that / is undefined on x, y. The reason that we consider partial functions is 
that in Section 3 we use them to characterize the number of ANDs required to 
securely compute fully-defined functions. To define the privacy in a protocol we 
consider the statistical distance between two distributions Yq, Yi which is defined 

by DIST(Vo, n) = 5 E,; I Pr[Vo = y] ~ Pr[Pi = y]\- 

Definition 1 (Secure Computation). Let f : Ax B ^ CU{*} be a function, 
and 0 < e, (5 < 1. A protocol (Alice, Bob) (e, 5)-securely computes /, if the 
following conditions hold: 

Correctness. For every x € A and every y € B, if f{x,y) yf *, then the proba- 
bility that the output of Alice with VIEWAiice(a^, b ?/; •) is f{x,y) is at least 
1 — e, where the probability is taken over va and rs- 
Bob’s Privacy. Vx G A, 'iy^,yi G B, VrA, if f{x,yo) = f{x,yi) yf * then 



DIST(VIEWAiice(x,rA,2/o,-),VIEWAiice(x,rA,yi,-)) < <5- 

Alice’s Privacy. Vxo,xi € A, Wy € B,\/rB, if f{xo,y) yf * and /(xi,y) yf *, 
then 

DIST(VIEWBob(xo,-,y,rB),VIEWBob(xi,-,y,rs)) < A 

A protocol securely computes / if it (0,0) -securely computes f. In this case, 
we also say that the protocol computes f with perfect security. A protocol is 
deterministic if Alice’s and Bob’s moves in the protocol do not depend on their 
random inputs. 

Notice that the requirements in Alice’s privacy and in Bob’s privacy are not 
symmetric. We require that Alice’s privacy is protected for all inputs where / 
is defined. As Alice learns the output of /, we require that Bob’s privacy is 
protected only when /(x,j/o) = f{x,yi) yf *. 

The main measure we consider is the number of calls to the black box during 
a protocol. 

Definition 2 (Number of ANDs). The number of calls to the AND black box 
in a protocol is the maximum over the inputs x and y and random inputs ua and 
rs of the number of black-box rounds in the execution with x, y, ca, and rs. 
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Beimel, Micali, and Malkin [3], following Kushilevitz [22], characterize which 
functions can be computed securely without any calls to the AND black box. 
Their characterization uses the following notation and definitions. We represent 
a function f : A x B ^ C U {*} hy a matrix Mf whose rows are labeled by the 
elements of A, columns are labeled by the elements of B, and Mf{x, y) = f{x, y). 

Definition 3 (Insecure Minor). A matrix contains an insecure minor if there 
are xo,xi,yo,yi such that M{xo,yo) = M{xo,yi) yf *, M{xi,yo), M{xo,yi) 4^ *, 
and M{xi,yo) ^ dvKx^.yf). 

The following theorem of [3] states that a function can be computed securely 
without ANDs iff it does not contain an insecure minor. 

Theorem 1 ([3]). The function f can he computed by a perfectly- secure ran- 
domized protocol with 0 ANDs if and only if the function f can he computed 
hy a deterministic protocol with 0 ANDs if and only if Mf does not contain an 
insecure-minor. 

The next definition is helpful for characterizing the number of required ANDs, 
by defining a relation on the columns of the matrix Mf. 

Definition 4 ([22]). The relation on the columns of a matrix M is defined 
as follows: y,y' G B satisfy y u' if there exists some x G A such that 
M{x,y) = M{x,y') yf *. The equivalence relation =c on the columns of M 
is defined as the transitive closure of the relation That is, y =c y' , for 
y, y' G B, if there areyi,...,ye such that y Vi ~c J /2 ■ ~C W v' ■ 

In the rest of this section we prove various properties of secure protocols used 
throughout the paper. We next relate the number of ANDs required to securely 
compute a function, to the number of ANDs required to securely compute the 
functions restricted to each equivalence class. The proof of the following lemma 
appears in the full version of the paper. 

Lemma 1. Let f : Ax B ^ CUl*} be a function, let Bi, . . . , B^ the equivalence 
classes of the relation =c, and define ft : A x Bi ^ C U {*} as the restriction 
of f to Bi The function f can he eomputed securely by a randomized protocol 
(respectively, deterministic protocol) with q ANDs if and only if each function 
fi can he computed securely by a randomized protocol (respectively, deterministic 
protocol) with q ANDs. 

For the results in this paper, we need the following standard result. In- 
formally, the lemma asserts that if the columns of My are equivalent then in 
perfectly-secure protocols no information is disclosed by the communication, and 
all the information that Alice needs to compute the function is passed through 
the outputs of the black box alone. 

Lemma 2. Let f : AxB ^ C be a function s.t. all columns of Mf are equivalent 
and let c be any communication transcript that can be exchanged between Alice 
and Bob in a protocol with perfect privacy. Then for every x,x' G A and every 
y,y' G B it holds that Pr[c = TRANS(a;, •, t/, •)] = Pr[c = TRANS(a;', •, j/', •)]> 
where the probability is taken over the random inputs of Alice and Bob. 
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The proof of Lemma 2 is omitted. Recall that in any deterministic protocol, 
for every x, y there is one possible communication transcript. Thus, by Lemma 2, 
if all the columns of My are equivalent, then the same transcript will be ex- 
changed for every pair of inputs. Thus, in deterministic protocols Alice and Bob 
can discard the communication and only execute the AND black boxes. 

Lemma 3. Let f : A x B ^ C be a function s.t. all columns of Mf are equiv- 
alentln every deterministic secure protocol there is exactly one communication 
transcript that is exchanged between Alice and Bob for all inputs x,y. 



3 Deterministic Protocols 



In this section we examine how many ANDs are needed to compute a function 
securely by a deterministic protocol. We start by giving an exact characteriza- 
tion of the functions that can be securely computed by deterministic protocols 
with q ANDs. This characterization proves that there is a complete hierarchy 
of functions according to the number of ANDs. In particular, we establish that 
every function can be computed securely by a deterministic protocol provided 
that enough ANDs are executed. This should be contrasted to the malicious 
model where it is known that randomization is required [14]. 

For finite functions one can find the optimal protocol using our character- 
ization. However, in general, our characterization does not lead to an efficient 
algorithm that determines how many ANDs are required to compute a function 
securely. Therefore, in Theorem 3 we give a simple and explicit upper bound 
on the number of ANDs that are required. Finally, we show in Theorem 4 that 
this upper bound is tight for Boolean functions. We note that our upper bound 
seems to be impractical since the number of ANDs can be exponential in the 
length of the input. However, at least for Boolean functions, our lower bound 
proves that this is unavoidable if we consider deterministic protocols. 

To characterize what can be done with q ANDs by a deterministic protocol, 
we note that first Alice and Bob call the AND black box once, and then execute 
a protocol with q—1 ANDs to compute a related function described in Figure 1. 
For the first execution there are sets Ai C A and Bi C B such that Alice 
gets output one from the AND black box if and only A x,y G Ai x Bi. We 
have two requirements: (1) Alice does not learn any extra information from 
the output of the first AND black box, and (2) Alice and Bob can compute 
the following function /ai,Bi using q — 1 ANDs. Formally, given a function / : 
A X B -G CUl*} and two sets Ai C A and Bi C B we define a function 
fAi,Bi ■ {A U (Hi X {!})) X H — >• C U {*}, described in Figure 1, as follows: 

1- /ai,Bi (a;, y) = f{x, y) for every x G A\Ai and every y G B. 

2. fAi,Bi(x,y) = f(x,y) for every x G Ai and every y G B\Bi. 

3. fA,„ Bi{x,y) = * for every x G A\ and every y G B\. 

4. fA,„ Bi {{x, l),y) = * for every x G A\ and every y G B\B\. 

5. fA, ,Bi((a;, l),y) = f{x,y) for every x G A\ and every y G B\. 
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Fig. 1. The matrices of the functions / and The nnmbers in the description 

of /ai,Bi refer to the different cases in its definition. 



Theorem 2. Let f : Ax B ^ CUl*} be a function such that all columns of Mf 
are equivalent according to =c- The function f can he computed securely with 
q calls to the AND black box if and only if there are sets Ai C A and B\ C B 
such that the following two requirements hold: 

1. For every x € A\, every yo ft. Bi, and every y\ G B\ such that 
f{x,yo), f{x,yi) it holds that f{x,yo) ^ f{x,yi), and 

2. The function fAi,Bi can be computed securely with q — I calls to the AND 
black box. 

Proof. We first prove that the above conditions are sufficient. Assume the con- 
ditions hold. The secure protocol for computing / proceeds as follows: 

— Alice and Bob call the AND black box where Alice puts 1 iff x G Ai and 
Bob put 1 iff y G Bi. 

~ Alice and Bob execute the secure protocol for /ai,Bi with q — I calls to the 
AND black box, where Bob’s input is y and Alice’s input is (x, 1) if the AND 
output is 1 and x otherwise. 

~ Alice’s output is the output of the protocol for ■ 

We first argue that the protocol is correct. On one hand, if the output of 
the AND black box is 1, then x G Ai and y G B\. Thus, by the definition of 
fAi.Bi it holds that fAi,Bi({x, l),y) = f{x,y), and the output of the protocol is 
correct. On the other hand, if the output of the AND black box is 0, then either 
x ^ Ai or y ^ B\. Thus, /Ai,Si(x,y) = f{x,y), and the output of the protocol 
is correct. Note that the protocol never tries to evaluate on inputs where 

it is not defined. 

To argue that the protocol is perfectly-secure, first note that Bob gets no 
messages during the first step of the protocol, and he does not get any informa- 
tion from the black box. This guarantees Alice’s Privacy. To argue about Bob’s 
privacy, note that Alice learns information about y from the first call to the AND 
black box only if x G Ai. In this case, by Condition 1, Alice learns if y G 
from the output of the function / itself. Thus, this step is secure, and Alice is 
allowed to know the output of the black box and the output of /ai,Bi which as 
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argued is equal to the desired output of /. Finally, as the protocol for /ai,Bi is 
secure, the entire protocol for / is secure. 

We next prove that the conditions of the theorem are necessary. Assume that 
/ can be computed securely with q ANDs. By Lemma 3, we can assume w.l.o.g. 
that Alice and Bob do not exchange any messages, and all information Alice 
gets is through the outputs of the calls to the AND black boxes. Let A\ and Bi 
be the sets of inputs of Alice and Bob respectively for which they put 1 to the 
first call to the AND black box. Condition 1 must hold or otherwise Alice learns 
extra information from the answer of the first AND. As for Condition 2, we can 
use the following protocol to compute securely with q — I ANDs: Alice 

and Bob execute the protocol for / with the following two changes: (1) If Alice’s 
“real” input is {x, 1) for x & A\ then she replaces it by the input x, and (2) the 
first call to the AND black box is not executed. Instead, Alice simulates it by 
considering its output as 1 if her input is {x, 1) and 0 otherwise. The rest of the 
protocol is executed without any changes. As the protocol for / uses q ANDs, 
and Alice and Bob do not use the first AND, the resulting protocol for /ai,Bi 
uses q — I ANDs as required. □ 

Our next theorem gives a simple upper bound on the number of ANDs re- 
quired to compute a function securely. The proof of this upper-bound gives a 
simple secure protocol for computing the function. 

Theorem 3. Let f : A x B ^ C U {*} be a function. The function f can be 
computed securely by a deterministic protocol with |A| [log ICj] ANDs. 

Proof. First assume that / is Boolean, i.e., C = {0, 1}. We next describe a 
protocol which uses |A| ANDs. Assume the input of Alice is x and the input 
of Bob is y. For every z G A, Alice and Bob execute the AND black box, 
where Alice puts 1 to the AND \i x = z and 0 otherwise, and Bob puts f{z, y) 
to the AND. Alice outputs the output of the AND corresponding to x, that is, 
AND(1, f{x, y)) = f{x, y) as required. Bob does not gain any information during 
this protocol (since there is no communication and only Alice gets the output of 
the black box) and Alice only gains f{x,y). 

If \C\ > 2, then we consider the binary representation of f(x,y) (of length 
exactly [log ICH), and execute the above protocol for every bit of f{x,y). □ 

The following theorem shows that the upper bound of Theorem 3 is tight for 
every Boolean function. In the theorem we assume that there is some yo such 
that f{x,yo) = 0 for every x G A. This assumption is without loss of generality 
since Alice learns the output of the protocol and knows x, thus she can use any 
renaming of the outputs in every row. 

Theorem 4. Let f : Ax B ^ {0, 1} be a Boolean function such that all the rows 
of Mf are distinct and non-constant, there is some yo G B such that f{x,yo) = 0 
for every x G A, and all of its columns are equivalent according to =c. Then, 
every deterministic protocol computing f securely must use at least \A\ ANDs. 

Proof. Fix any deterministic protocol that computes / securely. By Lemma 3, we 
can assume, without loss of generality, that Alice and Bob do not exchange any 
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messages and the view of Alice includes her input and the outputs of the black 
box. Consider any x & A. Since / is Boolean there are exactly two views Alice 
should see given x: one view for every y such that f{x, y) = 0 and another view for 
every y such that f{x, j/) = 1. For every x, consider the first black-box call where 
Alice can get two different answers. As argued above one output corresponds to 
the case where f{x,y) = 0 and the other output corresponds to the case where 
f{x,y) = 1. Thus, Alice can deduce the output of the function f{x,y) from this 
black-box answer and, therefore, we say that this is the significant call to the 
AND black box for x. 

Assume, towards contradiction, that for two different xq,xi G A the signifi- 
cant call is the same. Recall that f{xo,yo) = f{xi,yo) = 0, and since the rows 
corresponding to Xq and xi are not the same, there is some yi such that, w.l.o.g., 
f{xo,yi) = 0 while f{xi,yi) = 1. Bob has to put the same value to this signif- 
icant call when he holds yo and yi or Alice would learn information when she 
holds Xq. This means that Alice cannot compute the correct value of f{xi,yo) 
or f(xi,yi) since in both cases she gets the same information, contradiction. 

To conclude, for every x G A there is a unique significant call to the AND 
black box, thus, there are at least \A\ calls to the AND black box. □ 

In the protocol implied by Theorem 3, Alice is non-adaptive as her inputs 
to the AND black box depend only on her input and not on the outputs of 
previous AND black boxes. In Theorem 4 we prove that for Boolean functions 
this is optimal. However, the protocol implied by Theorem 2 is adaptive, and for 
non-Boolean functions adaptively does help (namely the bound is not tight), as 
shown in the following example. Consider the function / : {0, 1, 2} x {0, 1,2,3}^ 
{0, 1,2} described in Figure 2. We next describe a secure protocol for / which 
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Fig. 2. The functions / and /ai,Si. 



uses two ANDs. For the first AND, Alice puts 1 if a; G Ai = {1, 2} and Bob puts 
1 if y G Hi = {2, 3}. After this AND Alice and Bob need to securely compute 
the function /ai,Bi described in Figure 2. Computing /ai,Bi is done using a 
second AND where Alice puts 1 if cc G A2 = {0, 1,(2,!)} and Bob puts 1 if 
y G i?2 = { 1 ) 3 }. After this AND, Alice can deduce the output of / from her 
input and the outputs of the ANDs. In this protocol Alice is adaptive; with input 
1, for example, she puts 1 to the second AND if the output of the first AND was 
0 and she puts 0 otherwise. 
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4 Randomized Protocols 

In this section we investigate the power of randomization in our setting. We show 
that, in general, randomization helps: the gap between the number of ANDs 
required by a randomized protocol and a deterministic one may be exponential. 
We also quantify how much randomization can help, and study its limits. Finally, 
we show that allowing a statistically secure protocol with some error probability 
may significantly reduce the number of ANDs compared to the number required 
by a perfect randomized protocol. 

4.1 Randomization Helps 

The following theorem, adapted from [16], establishes an upper bound on the 
number of ANDs needed to securely compute a function, in terms of the num- 
ber of gates in its circuit. Together with our characterization for deterministic 
protocols in the previous section, the theorem proves that randomization helps, 
as we elaborate below. 

Theorem 5 ([16]). If f can he computed by a Boolean circuit with fan-in 2 
whose size is s, then there is a perfectly-secure randomized protocol computing f 
which uses 4s AND calls. 

Proof. Theorem 5 is proved in [16] by having each of the parties additively secret- 
share their inputs, and then processing the shares through each of the gates in 
the circuit. Depending on the gate, the parties may need to use the primitive of 
l-out-of~4 Oblivious Transfer, which can be implemented using four ANDs. 

We next describe the protocol in our context. Alice and Bob compute the 
function / one gate at a time, such that for each wire in the circuit, Alice and 
Bob hold two random bits whose exclusive-or is the correct value for that wire 
in a non-secure computation of the circuit (see Figure 3). For initialization, for 
every variable Xi held by Alice, the bits held by Alice and Bob respectively 
are (sa,sb) where Alice holds the bit sa = Xi and Bob holds the bit sb = 0. 
The variables held by Bob are dealt symmetrically. We next explain how to 
compute a Boolean gate G where the correct values of its inputs computed by 
the circuit are si and s2 and the correct value of the output of the gate is 
s3 = G(sl,s2). Before the computation of the gate Alice holds (sl^,s2yi) and 
Bob holds (s1b,s2b) such that si = sl^ © sis and s2 = s2a © s2b. At the 
end of the computation Alice and Bob should hold random bits (s3^,s3b) such 
that s3 = s3y4 © s3s. To compute the gate. Bob chooses a random bit s3s, and 
computes the value of s3^ for the 4 possible values (0, 0), (0, 1), (1, 0), and (1, 1) 
of Alice’s inputs (sl^, s2^). That is. Bob computes for every al, o2 G {0, 1} the 
value s3.4 = s3_b © G(al © s1_b, a2 © s2b). Thereafter, Alice and Bob perform 
four ANDs, corresponding to the possible values of Alice’s inputs, where Alice 
puts 1 to the AND execution corresponding to her true inputs (sl^,s2^), and 
0 to the other three, and Bob puts the values of s3a he computed. For the final 
gate application. Bob chooses s3b = 0, so that Alice’s output for that gate (in 
the appropriate AND execution) is the output of the function. The correctness 
and privacy of this protocol are easy to verify. □ 
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s3 = G(sl, s2) = s3/i © s3b 




si = sIa © sis s2 = s2a © s2s 
Fig. 3. A secnre evaluation of a gate G. 



The above theorem applies for circuits with gates which are arbitrary Boolean 
functions with fan-in 2. Depending on the circuit, the theorem can be optimized 
to achieve a smaller number of ANDs, as some of the gates may require only 
2 ANDs (when one of the incoming wires is from Bob’s initial inputs) or no 
ANDs (when the gate computes exclusive-or) . Such optimizations are used in 
the following examples to obtain slightly better parameters than guaranteed by 
a direct application of the theorem as stated. 

We conclude that randomization helps for functions where the upper bound 
promised by Theorem 5 for randomized protocols is smaller than the lower bound 
established in Theorem 2 for deterministic protocols. We next provide a few 
concrete examples, which exhibit when and how much randomization helps. 

Example 1 (Inner Product IPnj- Let IP„ : {0,1}" x {0,1}" — >■ {0,1} be the 
inner-product modulo 2 function, that is, IP„{x,y) = We show that 

the function IP„ can be computed with 2n ANDs using a perfect randomized 
protocol, but requires at least 2" — 1 ANDs in any deterministic protocol. 

Lemma 4. The function IP„ can he securely computed with 2n ANDs using 
a randomized protocol. Any deterministic protocol for securely computing IP„ 
requires at least 2" — 1 ANDs (and there is a deterministic protocol using this 
number of ANDs). 

Proof. Consider the following protocol on input x = xi,...,Xn for Alice and 
y = yi, . . . ,yn for Bob. Bob chooses ri, . . . , r„_i € {0, 1}" uniformly at random 
and sets r„ ^ Then, for each i = l,...,n, Alice and Bob run two 

ANDs, as follows: a) ^ A(1 — Xi,Vi) and a) ^ f\{xi,yi © ri). Alice outputs 
®r=i®r = IPn(a^,J/)- The claims about deterministic protocols for IP„ follow 
from Theorem 4 and Theorem 3. □ 

As we will explain in Example 5, the number of ANDs in this protocol is tight 
up to a constant, since every randomized protocol for IP„ requires at least n/2 
ANDs even if we allow errors and statistical privacy. We next show a tradeoff 
between the number of random bits and the number of ANDs. 
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A randomized protocol for with 4 ANDs 

Alice’s input: xi, X2, X3 where the number of variables with value 1 is < 2 . 

Bob’s input: j/i, j/ 2 ,ys 

Alice’s desired output: © X2I/2 © X3113 

Bob chooses r at random from {0, 1}. 

Alice sets a = 1 iff exactly one of her inputs has value 1. 

Alice and Bob execute the following 4 ANDs: 

ai -s- A(®i,j/i © r), 02 -s- A(a: 2 , y 2 © r), 

03 -S- A(®3,t/3 © 0: 04 -S-A(o,r). 

Alice’s ouput: oi © 02 © 03 © 04 . 



Fig. 4. A randomized protocol with 4 ANDs for a function requiring 6 ANDs in any 
deterministic protocol. 

Lemma 5. The function IP„ can he securely computed using R—1 random bits 
and ANDs, for all \ < R < n. 

Proof. The protocol is a generalization of the protocol described in the proof of 
Lemma 4. Denote n' = [n/i?] . Bob chooses R—1 random bits ri, . . . , and 
sets rn t— Then, for z = 0 to i? — 1 Alice and Bob compute the function 

at t- . . . , (z/m'+i, • ■ • , y{i+i)n')) © n using the secure deter- 
ministic protocol of Theorem 3, which uses ANDs, where Alice’s input is 

{x^n'+i, ■ • . ,X(i+i)„.) and Bob’s input is {yin'+i, ■ ■ ■ ,y{i+i)n'),n- Alice outputs 
the value ©^^a^ which by the properties of IP and the choice of the rfs is the 
correct value. Since the first i? — 1 random bits are chosen independently and 
the deterministic IP protocol is secure, the protocol we construct is secure. □ 



Example 2 (Restricted IPaj. Consider the restricted-domain inner product func- 
tion IP 3 , where Alice’s input cannot be x = (1, 1, 1), and denote it by IP 3 ], ^^ ^ 

We show in Figure 4 that this function can be computed with 4 ANDs in a 
randomized protocol with perfect privacy and correctness, but requires 6 ANDs 
in any deterministic protocol. We note that 4 is the smallest number of ANDs 
for which we can prove that randomization helps (in Section 4.3 we will see that 
for one AND we can prove randomization does not help). We leave as an open 
problem whether randomization helps or not for the case of 2 or 3 ANDs. 

Lemma 6. The function IP3(-^-j-Yiy can be securely computed with 4 ANDs in a 
randomized protocol, but the minimal number of ANDs required by a determin- 
istic protocol for this function is 6. 



Example 3 (Equality EQ„J. Let EQ„ : {0, 1}" x {0, 1}" — 1 - {0, 1} be the equality 
function, that is, EQ„(x,y) = 1 iff x = y. We show below that the number of 
ANDs required to compute the function EQ„ using a perfect deterministic pro- 
tocol is exponential in n, while using a perfect randomized protocol this number 
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A randomized (imperfect) protocol with for EQ^ 

Alice’s input: x = xi, . . . ,Xn € {0, 1}" 

Bob’s input: y = i/i, . . . , G {0, 1}" 

Alice’s desired output: EQ^{x,y) 

Bob chooses k vectors , r*’ G {0, 1}" uniformly at random, 

Bob sends , . . . , r*’ G {0, 1}” to Alice 

Alice computes aj = IP„(a;, r^) for j — 1, . . . , k, and sets a = oi , . . . ,ak 
Bob computes bj = IP„(y, r^) for j = 1, . . . ,k, and sets b = hi, . . . ,hk 
Alice and Bob use the randomized prot. of Lemma 7 to compute EQj,(a, 6). 
Alice’s ouput: the output of the protocol for EQj,(a, 6). 



Fig. 5. A randomized protocol with 0{k) ANDs, 1/2*’ error and 2/2* distance for 

EQ„- 

is linear in n, and using a randomized protocol with small error probability and 
statistical privacy, the number of ANDs is independent of n and depends only 
on the allowed error and distance (which are exponentially small in the number 
of ANDs). The specific lemmas are stated below. 

Lemma 7. Any deterministic protocol computing EQ„ must use at least 2” 
ANDs, and there is a deterministic protocl with this number of ANDs. Any 
perfectly-secure randomized protocol computing EQ„ must use at least n ANDs, 
and there exits such a protocol using 0(ji) ANDs. 

Proof. Noting that the matrix for EQ„ is the identity matrix, the upper bound 
for deterministic protocols follows directly from Theorem 3. The lower bound 
for deterministic protocols follows from Theorem 4, since the matrix satisfies all 
the conditions of the theorem (including the all-zero column, if we exchange the 
roles of 0 and 1 outputs in one of the rows). The upper bound for randomized 
protocols follows from Theorem 5, by noting that there is a Boolean circuit 
with fan-in 2 and with 0{n) gates that computes EQ„. The lower bound for 
randomized protocols follows from Theorem 6 below. □ 



Lemma 8. For every k, the function EQ„ can he computed with 0{k) ANDs by 
a randimized protocol with 1/2* error and at most 1/2* statistical distance. 

Proof. The protocl securely-computing EQ„ is described in Figure 5. The idea 
of the protocol is to approximately compare the initial n-bit inputs by (exactly) 
comparing k inner products of the inputs with random strings, which as we saw 
can be done using 0{k) ANDs. It is clear that if EQ„(x,?/) = 1 (i.e., the inputs 
are equal) the protocol does not err. On the other hand, Pr[a-^ ^ 6-^ |EQ„(x, y) = 
0] = 1/2 for every j, and since the vectors D are chosen independently at random, 
Pr[EQ;.(a, &) = l|EQ„(a;,7/) = 0] = 1/2*, which establishes the error. 

We next prove that the protocol has statistical privacy. Intuitively, Alice 
learns information only when she gets an incorrect output. Formally, fix any 
x,y,y' G {0,1}" such that y ^ y' and EQ„(x,?/) = EQ„(a;,7/'), and compute 
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the statistical distance between the view seen by Alice holding input x, when 
executing the protocol with Bob’s input set to y or to y' (we will denote the cor- 
responding vectors computed in the protocol by (a,b) and {a',b') respectively). 
Observe that if EQ„(x, y) = 1, y and y' must be identical. Thus, we only need to 
consider the case where EQ„(a;, y) = 0, namely x, y, y' are three different vectors. 
The only information that Alice gets in the protocol which depends on Bob’s in- 
put, is the output of the perfectly secure protocol for EQ^,(a, b) (or EQ^,(a', b')). 
This implies that given this output is the same, the views are distributed iden- 
tically. On the other hand, we can bound the probability that this output is not 
the same, as follows. 

Pr[EQfc(a,&) yf EQfc(a', 6 ')|EQ„(a;, 2 /) = 0] 

< Pr[EQ^(a, 6 ) = l|EQ„(x,y) = 0] + [EQ,(a', 6 ') = l|EQ„(cr, 2 /) = 0] = 2/2^ 

We may therefore conclude that the statistical distance between Alice’s views 
for input (x, y) vs. (x, y') is at most 1/2^. Finally, note that Bob does not receive 
any messages in this protocol, so Alice’s perfect privacy follows immediately. □ 

The number of ANDs used in the last lemma is independent of n, exhibit- 
ing an inherent gap between perfect and imperfect protocols. In order to get 
exponentially small statistical distance and error in this protocol, the number of 
ANDs should still be set to be linear in n, though it may be smaller than n. Set- 
ting the number of ANDs to be polylogarithmic in n will already give a negligible 
statistical distance and error. This should be contrasted with the lower bounds 
of n (or 2") ANDs for perfect randomized (or deterministic, resp.) protocols for 
this function. 



4.2 How Much Does Randomization Help? 

In the previous section we showed that randomization can help significantly 
compared to deterministic protocols. In this section we consider the limitations 
of randomized protocols. We first show lower bounds on the number of ANDs 
required in randomized protocols. For a function / : {0, 1}" x {o,ir ^{ 0 , 1 }" 
our lower bound is at most n. Notice, that by Theorem 5 we cannot prove 
super-linear lower-bounds on the number of calls to the AND black box for ex- 
plicit functions unless we prove super-linear lower-bounds for circuit complexity 
of explicit functions which is a long-standing open problem. We use our lower 
bounds to show that for Boolean functions the gap in the number of calls to the 
AND black box between deterministic protocols and randomized protocols with 
perfect security can be at most exponential. 

We start by giving two lower bounds on the number of ANDs in perfectly- 
secure protocols. The proofs of these lower bounds is omitted for lack of space. 



Theorem 6. Let f : A x B ^ C be a function s.t. all columns of Mf are 
equivalent and no two columns are the same. The number of AND black box calls 
in any perfectly- secure randomized protocol computing f is at least [log |B|] . 
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Example 4 ). Consider the function (")OT : {1, . . . , n}x{0, 1}” — >■ {0, 1} 

defined as (”)OT(i, (j/i, . . . , y„)) = yi- Theorem 6 proves that in any perfectly- 
secure protocol for (")OT the number of ANDs is at least n.^ This implies that 
in any perfectly-secure protocol for (”) OT using an OT black box the number 
of (j)OT is at least n/2. This reproves the result of Dodis and Micali [14] up to 
a factor of 2 (our proof does not use information theory). 



Theorem 7. Let f : A x B ^ {0,1} be a Boolean function s.t. all columns of 
Mf are equivalent, no two rows of Mf are the same, and there is some yo € B 
s.t. f{x,yo) = 0 for every x € A. Then, the number of calls to the AND black 
box in any perfectly-secure randomized protocol computing f is at least [log | A|] . 

The next theorem states that for Boolean functions the gap in the number 
of AND black-box calls between deterministic protocols and randomized pro- 
tocols with perfect security is at most exponential. This seems to resemble the 
simple derandomization of randomized algorithms, however this resemblance is 
misleading (as executing a secure protocol with all possible random coins might 
leek information). As an example of the difficulty, the gap can be much larger 
for non-perfect randomized protocols. Another example is the malicious model 
where randomization is essential (see, e.g., [14]). We prove the gap between ran- 
domized and deterministic protocols by combining the lower bounds we proved 
on randomized protocols and the upper bounds for deterministic protocols. 

Theorem 8. Let f be a Boolean function. Lf there exists a perfectly-secure ran- 
domized protocol computing f using q ANDs then there is a deterministic protocol 
computing f with 2* ANDs. 

Proof. By Lemma 1, the function / can be securely computed with q ANDs 
if and only if every equivalence class of the columns of Mf can be computed 
securely with q ANDs. Thus, by Theorem 7, the number of distinct rows in any 
equivalence class is at most at most 2*. By Theorem 3, there is a deterministic 
protocol securely computing every equivalence class of / using 2^ ANDs, and 
therefore, by Lemma 1, such protocol exists for /. □ 

We next generalize Theorem 6 to protocols which might err with some prob- 
ability. We first recall some definitions from communication complexity (for more 
information on this subject see [23]). The one-round randomized communication 
complexity in the public random coin model is defined as follows: Alice and Bob 
each have a private input and they have a shared random input. Bob sends one 
message to Alice, and Alice computes the output of the protocol (there are no 
privacy requirements). The error of the protocol is the probability that Alice 
outputs a value different than f{x,y). A protocol computes / with error e if 
for every inputs x,y its error is at most e. Let be the number of 

communication bits in the best such protocol computing / with error e. 

® Using Theorem 9 below, one can prove that even in statistically-secure protocols for 
(")OT the number of ANDs is J7(n). 
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Theorem 9. Let f : A x B ^ {0, 1} be a Boolean function s.t. all the columns 
of Mf are equivalent and no two columns are identical. Then, in any randomized 
{e,6)-secure protocol computing f, the number of AMDs is at least (/). 

The proof of Theorem 9 is omitted for lack of space. Theorem 6 is a special 
case of Theorem 9 since it easy to see that = [log \B\~\. 

Example 5. By [15] it holds that = n/2 for every e < 1/2. Thus, 

unlike EQ„, for every e, 5 where e + 76 < 1/2, the inner-product function does 
not have an (e, <5)-secure protocol which uses less than n/2 ANDs. 

4.3 One AND: Randomization Does Not Help 

We have seen that randomization can significantly reduce (up to an exponential 
factor) the number of required ANDs, and that already with 4 ANDs, random- 
ized protocols compute a strictly stronger class of functions than deterministic 
protocols with the same number of ANDs. On the other hand, it is known (see 
Theorem 1) that for secure computation in our model without any ANDs, ran- 
domization does not help. In this section we show that with one AND random- 
ization still does not help. 

Theorem 10. Let f : A x B ^ C be a function such that all the columns of 
Mf are equivalent according to =c- The function f can be computed securely by 
a randomized protocol using one call to the AND black box if and only if there 
are A\ Q A and Bi C B such that: 

1. For every x G A\, yo ^ Bi, and y\ G B\ it holds that f{x,yo) yf f{x,y\), 

2. For every x & A and every y,y' G B such that either x ^ A\ or y,y B\ it 
holds that f{x,y) = f{x,y'). 

3. For every x & A\ and every y,y' G B it holds that f{x,y) = f{x,y'). 

Proof. First, if Conditions (l)-(3) hold then, by Theorem 2, / can be computed 
by a secure (deterministic) protocol with 1 AND. The function /ai.Bi can be 
computed by Alice without any communication since each row of fAi,Bi is con- 
stant. 

For the other direction, assume there is a secure protocol that computes / 
with 1 AND. Fix any communication string c that has positive probability for 
some fixed inputs; by Lemma 2 c has positive probability given every x, y. Now, 
define Ai = {x : Pr[ Alice puts 1 to the black box with x and communication 
c] > 0}, and Bi = {y : Pr[ Bob puts 1 to the black box with y and communi- 
cation c] > 0}. By the correctness and privacy requirements of the protocol Ai 
and Bi satisfy Conditions (l)-(3). □ 

The protocol proving the sufficiency of the conditions in Theorem 10 is de- 
terministic. Thus, 

Corollary 1. Randomized protocols with one AND can compute securely exactly 
the same functions as deterministic protocols with one AND. 
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Abstract. Traditionally, secure cryptographic algorithms provide secu- 
rity against an adversary who has only black-box access to the secret 
information of honest parties. However, such models are not always ad- 
equate. In particular, the security of these algorithms may completely 
break under (feasible) attacks that tamper with the secret key. 

In this paper we propose a theoretical framework to investigate the algo- 
rithmic aspects related to tamper-proof security. In particular, we define 
a model of security against an adversary who is allowed to apply arbi- 
trary feasible functions / to the secret key sk, and obtain the result of 
the cryptographic algorithms using the new secret key f{sk). 

We prove that in the most general setting it is impossible to achieve 
this strong notion of security. We then show minimal additions to the 
model, which are needed in order to obtain provable security. We prove 
that these additions are necessary and also sufficient for most common 
cryptographic primitives, such as encryption and signature schemes. 

We discuss the applications to portable devices protected by PINs and 
show how to integrate PIN security into the generic security design. 
Finally we investigate restrictions of the model in which the tampering 
powers of the adversary are limited. These restrictions model realistic 
attacks (like differential fault analysis) that have been demonstrated in 
practice. In these settings we show security solutions that work even 
without the additions mentioned above. 



1 Introduction 

Motivation and Our Main Questions. Traditionally, cryptographic algo- 
rithms have been designed to provide security against an adversary who has 
only black-box access to the secret information of honest parties. That is, the 
adversary can query the cryptographic algorithm on inputs of his choice and an- 
alyze the responses, which are always computed according to the correct original 
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secret information. By now, cryptographic design has become so advanced that 
all the major cryptographic primitives can be proven secure against black-box 
attacks under very weak complexity assumptions. Proofs of security for such 
cryptographic algorithms assume (as an abstraction) that there is some secure 
hardware in which the algorithm and secret key of the honest parties are stored, 
thus denying the adversary any form of access to this data other than exchanging 
messages. If this assumption is violated, all guarantees are off. 

At a closer analysis, the secure hardware assumption encompasses two dif- 
ferent components, informally: (1) Read-proof hardware; that is, hardware that 
prevents an enemy from reading anything about the data stored within it; and (2) 
Tamper-proof hardware; that is, hardware that prevents an enemy from changing 
anything in the data stored within it. 

In particular, traditional cryptographic schemes consist of an algorithm which 
the adversary knows, but cannot change (i.e., stored in tamper-proof hardware) , 
and a secret key, which the adversary does not know and cannot change (i.e., 
stored in hardware which is both read-proof and tamper-proof). 

It is clear that each of these components is necessary, at least to some ex- 
tent, in order to achieve security of a cryptographic algorithm. If the adversary 
can read all information belonging to an honest party, he can also perform all 
the same functionalities. If the adversary can arbitrarily change the algorithm 
implemented by the honest party, he can cause the algorithm to output all the se- 
cret information. Thus, both read-proofness and tamper-proofness are necessary 
assumptions. This raises the following natural questions: 

Is it necessary to have a component which is both read-proof and tamper- 
proof? Can we decouple these assumptions and achieve security when the 
adversary has arbitrary tampering powers for any secret information, and 
complete knowledge of any unchangeable information? What are the min- 
imal physical assumptions necessary for the existence of provably secure 
implementations of major cryptographic primitives? 

Clearly, if the secret data is only secured via a read-proof hardware then the 
adversary can destroy the information by overwriting it. Our goal, however, is to 
prevent the adversary from compromising the security of the card with respect 
to the original secret data (e.g., by forging a valid digital signature). 

In addition to being a natural next step in a line of research aiming to 
achieve security against ever stronger adversaries, these questions also have di- 
rect significance to reducing the gap between cryptographic proofs and practical 
implementations. The motivation for decoupling is further driven by the current 
state in secure hardware design. There are two fronts which support the need 
for decoupling: attacks on, and manufacturing of, the devices. 

Known attacks show that it is hard to preserve the security of the cards. 
Works such as [KJJ99,AARR03] show that a wide variety of “side channels” 
exist that enable an adversary to read off secret keys. On the other hand, many 
physical tampering attacks have proved successful, see for example [AK96,SA03]. 
Boneh, DeMillo, and Lipton [BDLOl] show how to use a small number of random 
faults to break specific, public-key based schemes. Biham and Shamir [BS97] 
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show how to break even unknown secret-key schemes, using a specific kind of 
random faults. They give these attacks the name differential fault analysis. 

These types of attacks are of particular concern in light of the way cryptog- 
raphy is used today. For one, many cryptographic applications are carried out by 
small devices outside the security of a protected environment (e.g., smartcards 
and PDAs). Such gadgets may fall into the wrong hands with great ease, giving 
an adversary ample opportunity to apply a battery of physical attacks. More- 
over, today’s widespread use of cryptography, by virtue of its ubiquity, opens 
the door to increased vulnerabilities, such as opportunities for insider attacks by 
naive or malicious users. Thus it is important to reduce as much as possible the 
assumptions on the adversary’s limitations. 

On the manufacturing front, if we wish to store data which is both hardwired 
and secret this would need to be done at manufacturing time. This implies that 
the user’s secret key should, at some level, be known to the device manufacturer, 
and this is clearly not desirable. Moreover, producing one-of-a-kind hardware for 
each of many users, which would be required if a unique key is hardwired in each 
device, may be totally impractical. 

This body of evidence argues that to assume hardware that is both read-proof 
and tamper-proof is a big leap of faith. From this perspective, granted that both 
tamper-proof and read-proof security are assumptions, we wish to understand 
their relative strength. We are asking whether, for a fixed cryptographic algo- 
rithm, and a secret key which is stored in a read-proof hardware, the read-proof 
hardware can be bootstrapped via an algorithm to provide tamper-proofness? 
We introduce the notion of Algorithmic Tamper-Proof (ATP) Security which 
addresses security in the decoupled environment. 

Our Model. We will model devices with two separate components, one being 
tamper-proof yet readable, and the other being read-proof yet tamperable. These 
components may be thought of as corresponding to the traditional notions of a 
hardware (circuitry) and software (memory) components of a given device. We 
allow only data that is common to all devices (and considered universally known) 
to be hardwired beyond the tampering reach of the adversary. 

We define a very strong tampering adversary and the notion of security in our 
new model. The adversary considers the device’s memory, M, as an n-tuple of 
individual bits, xi, . . . , x„, and knows the functionality of each bit-position (e.g., 
where a given secret key begins and ends). We allow the adversary to specify any 
polynomial-time computable function / : {0, 1}" — >■ {0, 1}" and transform M to 
f{M). More precisely, we envisage that the adversary may adaptively interact 
with the device by repeating the following a polynomial number of times: 

1. choose a polynomial-time computable function / and replace the current 
memory content, M, with the new content f{M); and 

2. interact with the device with memory content f{M) (e.g., input a message 
to be signed with the current secret key, enter a PIN. etc.) 

We define the notion of algorithmic tamper-proof security and require that what- 
ever such an attacker can achieve, could also be achieved by a black-box attack 
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on the system. This definition may be formulated either as a simulation-based 
definition, or by a direct definition of security for the cryptographic primitive 
(signature or encryption) with a tampering adversary. 

We believe this to make a clear and attractive model for studying our prob- 
lem. The model unifies and provides a theoretical framework for practical attacks 
such as differential fault analysis, while at the same time maintaining a more 
general view of security. The model also provides the next natural step in secu- 
rity against strong adversaries (e.g., for encryption, this is the next step after 
CCA2 attacks). Further applications may be possible. 

Our Answers. We first show that in the model as described above ATP security 
cannot be achieved. That is having secret data stored in read-proof only hardware 
does not even preserve the secrecy of the data, let alone provide security for the 
cryptographic function. 

Thus, we consider modifications to the model which still preserve the decou- 
pling property in order to achieve ATP security. The modifications are done in 
two directions, one to enhance the physical design and the second to limit the 
tampering capabilities of the adversary. 

Enhancing the Physical Design. We show that ATP security in the above model 
can be achieved iff the device is enhanced with: (1) a self-destructing capability, 
and (2) some hardwired data (public parameter) which is produced by a separate 
server that cannot be tampered with. 

Specifically, we show that without (1), any cryptographic algorithm can be 
completely broken by a memory tampering attack, and that without (2), there 
are signature and encryption schemes that cannot be implemented securely in 
the face of a tampering attack. 

Then we proceed to show that the two enhancements are sufficient. We 
achieve algorithmic tamper-proof security with respect to arbitrary, feasible func- 
tions /, for fundamental public-key applications such as signing and decryption; 
but our techniques also apply in the secret-key setting. 

One way to interpret these results, is that to achieve general ATP for crypto- 
graphic schemes (e.g., signature or decryption), we do need a component which 
is both read-proof and tamper-proof (the memory of the server used for condi- 
tion 2). However, this component need not be part of every device instantiating 
the scheme, as assumed in traditional models (where the secret key is stored 
in that component). Rather, it is sufficient to have one such component, used 
only at setup time, in order to provide algorithmic tamper-proof security for all 
instantiations of the scheme on different devices. 

Restricting the Power of Tampering. We then initiate a study of tampering 
attacks under a restricted class of functions. We show that the situation is not 
hopeless even with a more basic device, that is not enhanced with self-destruct 
and an external public key. In particular, we show how to achieve ATP security 
when the adversary is limited to choosing functions / from some restricted, yet 
useful, classes of functions. The results presented have some practical significance 
as they address precisely such classes of functions that were successfully used 
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before to attack existing systems [BS97,BDL01]. These include random hardware 
faults (differential fault analysis), and flipping (or “zapping”) specified bits. 
PIN-Protected Hardware. The main direct application of our results is in the 
protection of portable devices such as smartcards or PDAs. Indeed tampering 
attacks are most likely to be feasible when the device storing the secret key is 
completely in the hands of the adversary (though one can envision other scenar- 
ios). Portable devices are commonly protected by PIN numbers or passwords, to 
prevent unauthorized access by an adversary. We show how to incorporate PIN 
numbers in our model and how to make sure that the tampering powers of the 
adversary are not used to circumvent this extra layer of protection. 

Related Work. In addition to the related work mentioned above, there are 
several works that address the physical (as opposed to algorithmic) aspects of 
tamper-proofing a specific device (typically a smartcard), such as [QSOl]. There 
are many approaches that address security when the read-proof (as opposed to 
tamper-proof) assumption is relaxed in some way. Most relevant in our context, 
are the recent works of [ISW03], who consider security when the adversary may 
read part of the inputs going through the circuitry of the device, and of [MR03], 
who consider a general new model for security against an adversary that can ob- 
serve arbitrary physical characteristics of a computation ( “side channels” ) . The 
work of [CGGMOO] on resettable zero knowledge can be viewed as a special case 
of algorithmic tamper-proof security, where the adversary’s tampering powers 
are limited to resetting the randomness. 

2 The New Model 

2.1 The Device and Adversarial Capabilities 

We consider a system with two components: (1) secret content, sc (containing 
some secret key, sk, randomness, and possibly state information), and (2) a 
cryptographic algorithm A which uses the secret content (we may think of A as 
the circuitry component). 

We say that the system implements a certain function F, if for any input 
a, A{sc,a) = F{a). We say that A implements a keyed cryptographic function 
F{-,-), if for every key sk (from the appropriate domain) there exists a setting 
scsk of the secret data, such that the system (A, sc^fe) implements the function 
F{sk, •). An algorithm computing sCsk will be called a software setup algorithm. 
Finally, a device setup protocol implementing F{-, •) is a pair of algorithms. The 
first generates the algorithm A, possibly with some additional state information 
to be passed to the second algorithm. The second is a software setup algorithm: 
given input sk and A, and possibly an additional state information input, the 
algorithm generates an appropriate sCsk ■ If the software setup algorithm is state- 
ful, we say that the device uses public parameters. We will consider devices with 
efficient setup algorithms. 

Gonsider A which implements some F{-,-) (e.g., a signature algorithm). We 
define a tampering adversary who can request three commands to be carried out: 
Run(-) and Apply(-), and Setup. 
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~ The command Run(a), invokes the cryptographic computation A using the 
software content sc on input a. The output is the output of such computation, 
i.e., A(sc, a). For example, if the cryptographic algorithm is a signature then 
the output is a signature on the message a using the secret key stored in sc. 

— The command Apply(/) takes as input a function /, and modifies the software 
content sc to /(sc). From this point on, until a new Apply(/) is requested, 
all Run (a) operations will use /(sc) as the new software content. / can be 
a probabilistic function. Note that the next invocation of Apply(/') would 
change /(sc) to /'(/(sc)), i.e. it does not apply /' to the original sc. There 
is no output for this command.^ 

— The command Setup(s/c) invokes the software setup algorithm, outputting 
sc such that the device {A, sc) implements the function F{sk, •). 

The device may also have a self-destruct capability, called by the algorithm A. 
If this happens, every Run command from then on will always output T. 

As mentioned above, security of smartcards and other portable devices is one 
of the motivations for considering this model. For convenience, throughout this 
paper we refer to the system interchangeably as a “card” or a “device” . 

Incorporating PIN Numbers. Consider the application of the model to 
smartcards. One goal is to prevent a tampering adversary from learning infor- 
mation about the contents of the card, so that he cannot duplicate and distribute 
devices with the same functionality (e.g., decryption cards for pay-TV applica- 
tions). However, it is also often desirable to prevent the adversary from using 
the functionality of the device himself. 

Towards this goal, we propose that the card be augmented with a short 
memorizable PIN, to be entered by the user before any application. That is, a 
Run query, where it previously took one input, now should take two: the PIN 
and the input (such as a message m to be signed) . The card will only function if 
the PIN is correct, and, moreover, it will permanently stop functioning (or self- 
destruct) after a certain (not too big) number of wrong attempts. This requires 
a counter mechanism. 

It is not hard to show that if the adversary cannot tamper with the counter, 
all our results carry through by considering the PIN as part of the secret key. 
In Section 5 we show how to achieve ATP security in the setting with PIN, by 
showing a cryptographic implementation of a counter which is ATP secure, based 
on one-way permutations or on forward-secure signature schemes. (We thus will 
not directly deal with the PIN setting in the other parts of the paper.) 



^ It is clear that if this command was allowed any output, then it could just output the 
secret key. Moreover, we cannot even allow / to produce outputs by making calls to 
Run, or security would be unachievable. Consider the following attack. The adversary 
chooses two inputs Xq and xi. Given that the secret key on the card is SiS 2 ...s;, the 
function / is “for i = 1 to / Run(xs^)”. Clearly, by executing this function, we extract 
the whole secret key. 
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2.2 The Notion of Security 



Intuitively, we would like that the extra power given to the adversary to be 
useless. We present definitions of security for signature and encryption schemes, 
and discuss the simulation technique that we use to achieve these goals. 

Signature Cards. The classical definition of security for signature schemes is 
security against adaptive chosen-message attacfc introduced by [GMR88]. In our 
terminology, this corresponds to an adversary who is given a public key pk and 
the opportunity to issue as many Run commands as he wants on input messages 
mi, . . . ,m„, chosen adaptively, and get the corresponding signatures. Then we 
say that the scheme is unforgeable if the adversary is not able to produce a new 
message m yf rrij and a valid signature on it. 

In our model we augment the power of the adversary by allowing him to also 
issue Apply commands. That may change the key pair corresponding to the card; 
namely, instead of the original key pair (pk,sk), the card may now be working 
relative to various different key pairs {pk' , sk'). Yet, we will consider as relevant 
only Run queries for which the adversary gets a valid signature relative to the 
original public key pk. After interacting with the card, the adversary should not 
be able to produce a new message m and its valid signature under the public 
key pk. We count as a forgery a pair (m, s) even if m was asked before, but the 
card outputs an invalid signature because it had an incorrect secret key stored 
inside as a consequence of some Apply command. 

Formally, let S = (Gen, Sig, Ver) be a signature scheme, where Gen is the 
key-generation algorithm, Sig is the signature algorithm, and Ver is the verifi- 
cation algorithm. We say that S is algorithmically tamper-proof unforgeable if 
for every probabilistic polynomial-time adversary A, there exists a negligible 
function negl() such that 



Pr 



{pk, sk) Gen(l^); 

H ^ I ^ {}; State e 
for i = 1 .. .n 

(State, Gmd) A(State,pfc, H); 

if Gmd = Run(mi) then Sj ^ Sig(sA:, m*); 

if \/er{pk, rrii, Sj) = yes then / ^ J U {rrii}; 
if Gmd = Setup(sfci) then Si Setup(s/ci); 
if Gmd = Apply(/i) then sk fi{sk); 

H ^iJU{(Gmd,Si)}; 

(m, s) ^ A{pk, H); 
m ^ I and \/er{pk, m, s) = yes 



negl(fc) 



Decryption Cards. In the full version of this paper, we give the definition of 
security for decryption cards. Here, we give an informal sketch of this definition. 

Recall that security for encryption schemes comes in at least three different 
levels: semantic security (security against passive adversary) [GM84], security 
against lunchtime attacks (security against an adversary who can interact with 
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the decryption oracle during a training stage, before receiving a challenge cipher- 
text) and security against adaptive chosen ciphertext attacks (CCA-2, where an 
adversary has a training stage before he receives a challenge ciphertext; once 
he receives the challenge ciphertext, he can ask the decryption oracle additional 
queries which must be distinct from his challenge ciphertext). 

We say that a scheme is secure against adaptive chosen-ciphertext attack with 
lunchtime tampering (or tamper-proof CCA-2 secure) if we allow the adversary 
to issue both Run and Apply commands during the training stage. Then the ad- 
versary outputs two messages toq, mi and is given the target ciphertext c, which 
is the encryption of either mg or mi, chosen at random. Then the adversary 
can perform only Run queries on any ciphertexts other than c. We say that the 
scheme is secure, if the adversary cannot guess (with probability better than 
1/2) the correct decryption of c. 

Note that we do not allow the adversary to modify the secret key after the 
target ciphertext is released. This is because, for a challenge ciphertext c, and 
Apply query may be of the form “If c decrypts to 0, self-destruct,” and therefore 
it leaks information about the plaintext. 

Proofs by Simulation. The above security goal would follow if we were able to 
prove that this powerful adversary does not learn any more information about 
the secret key than an adversary who is simply limited by an input/output 
relationship with the card (because then, if we start from a card secure in the 
old model, it is also ATP secure). 

We can use the concept of simulation to capture the above idea. Our theorems 
will be proven according to the following approach. We will construct simulators 
which have only Run(-) access to the card and Setup(-) access to the issuer, and 
make them interact with the tampering adversary. The card is resistant to the 
tampering powers of the adversary (namely Apply commands) if the adversary 
is not able to distinguish between the case that he interacts with the real card, 
and the case that he interacts with the simulator. 



3 Enhancing the Physical Design 

As stated in the Introduction we augment our model with two additions: public 
parameters and self destruct, and show that these additions are both necessary 
and sufficient to achieve ATP security. 

These results are shown by exhibiting attacks when the enhancements are not 
available. First, we show an attack that extracts the entire secret key from any 
cryptographic algorithm, as long as the card never self-destructs. Then, we show 
that there is a signature scheme for which there is an attack that can extract the 
entire secret key, for any implementation without public parameters (even with 
self-destruct). This can be viewed as a very powerful and simple generalization 
of previous specific attacks such as [BDL01,BS97]. 
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3.1 Self-Destruct Is Necessary 

Testing for Malfunctioning. Intuitively, for any meaningful cryptographic func- 
tionality, we should be able to determine, perhaps with some degree of error, 
whether a given device functions properly, i.e., whether the secret content sc 
stored on the device gives rise to the right functionality. 

If no one can tell that a given device is doing its job correctly, then this 
device can be replaced with another one, based on a secret content sc' that was 
generated by a separate invocation of the Setup algorithm, and no one will notice 
the difference. Hence sc is useless, since sc' works just as well, and there is no 
need to protect it! 

For example, suppose that we have a signature device. Provided that we 
have the corresponding public key, we can test whether the device functions as 
prescribed by querying the device for a signature on some message, and then 
checking the validity of the signature. Similarly, for a decryption device in the 
public-key setting, whether or not it maintains its functionality can be deter- 
mined by encrypting many messages and checking whether the device decrypted 
all of them correctly. 

Such test may not be perfect. It is possible that, even though the device does 
not have the correct secret content sc, but some sc' that is close to the correct 
content, the device will still pass our test with non-negligible probability. It is 
easy to come up with schemes that still work, even if their secret keys have been 
altered slightly, but provide the correct output with decreased probability. 

Let us assume that for the functionality at hand, we have a testing procedure 
Test- Dev such that (1) Test- Dev will always accept when given a device whose 
sc is correct; (2) if Test- Dev accepts a device with secret content sc' with non- 
negligible probability e, then discovering sc' constitutes a successful attack on 
the functionality of the device. 

The tests described above for signature and decryption functionalities satisfy 
these two conditions: discovering sc' that allows to generate correct signatures 
only an e fraction of the time is still an attack on the signature functionality: 
now the adversary can create an existential forgery. Similarly, being able to 
decrypt with an e advantage over random guessing constitutes an attack on a 
cryptosystem. We show the following claim (informally stated): 

Claim. No cryptographic device that can be efficiently tested for malfunctioning, 
can be made tamper-proof without the self-destruct capability. 

Sketch of Proof: The Key-Extraction Procedure. Suppose that we are given a 
procedure Test-Dev as described above. Suppose that the secret content sc of the 
device consists of n bits. Finally, suppose that the only operation the attacker 
is allowed to carry out on the secret component of the device is the Set{i, b) 
operation that sets the Fth bit of sc to b. 

Consider the following procedure, that outputs a candidate value C = 
C\...Cn for the secret content sc: Initialize i = 1. While i < n: (1) Set{i,b), 
b G {0,1} and run Test-Dev. Let b* be the value such that, when sci = b* , 
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Test-Dev accepted more often than when sci = b*. (2) Set{i,b*), Ci = b*. (3) 
Increment i. Upon completing the while-loop, output C. 

The value C outputted at the end is identical to the value sc' stored on the 
device at the end of the procedure. Note that on each iteration of the loop, this 
procedure maintains the invariant that, with probability 1 — J^(n) (where v{n) is 
a negligible function), the value currently stored in the secret component sc' of 
the device is accepted by Test-Dev with non-negligible probability. This can be 
seen by induction: when i = I, the secret component has not been altered yet, 
and so we are given that Test-Dev accepts. Suppose that i > 1. We know that the 
current sc is accepted by Test-Dev with non-negligible probability. Let b be the 
current bit sc,. Suppose that setting sc* = b results in Test-Dev accepting with 
only negligible probability v. Then the probability that b* = b is also negligible. 
Therefore, the device accepts with non-negligible probability when its secret 
content is C, thus discovering C constitutes a successful attack. 

The above attack relies on the adaptiveness of the adversary, who decides 
which Apply command to issue next, depending on the result of the previous Run 
command. In the full version of this paper we show that even a non-adaptive ad- 
versary can extract the secret key using a fixed list of Run and Apply commands. 
The functions applied simply exchange pairs of specified bits in the string. □ 



3.2 Hardwiring an External Public Key Is Necessary 

Let us start with some intuition. For simplicity, consider a card implementing a 
signature algorithm E(-, •) (the same techniques will work for decryption cards). 
Having no public parameters means that there is a software setup function g, 
such that for any sk' , g{sk') outputs a corresponding sc' for a card implementing 
F{sk' , -).^ In particular, for a given card whose software sc corresponds to some 
sk, the adversary may be able to replace sc by sc' corresponding to another, 
“adversarial” sk' . Such an sk' might have the property that when the adversary 
now issues a Run command, the output will include the original sk, which will 
allow the adversary to completely break the signature scheme. Indeed, we will 
show below a signature scheme for which this is exactly the case, and thus there is 
no ATP method which works for this scheme. It follows that for any general ATP 
method, the software content cannot be computed solely from the information 
held by the device. Instead, it must make use of some hardwired cryptographic 
public key 77, such that the corresponding secret key is needed in the setup 
of sc.^ Concretely, we prove that for any general algorithmic tamper-proofing 
method we can view the hardwired content of the device. A, as a public key for 
a weak signature scheme, secure against universal forgery (i.e., not all messages 

^ It may seem that this does not grant the adversary any special powers, since he 
can always compute this by issuing a Setup(sfc') command. However, such a Setup 
command requires that the adversary knows sk’. 

® It will be convenient to identify 77 as the public key of the card manufacturer, though 
in reality the corresponding secret key may be held by a third party, or distributed 
among several parties who participate in the setup stage. 
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can be forged), in the face of a single known-message attack. We refer the reader 
to [GMR88] for definitions and discussion of these and other security levels for 
signature schemes.^ 

Towards making the above intuition formal, for any signature scheme F 
that has a tamper-proof implementation, consider the following weak signature 
scheme Wp- The key generation algorithm is the device’s setup algorithm for a 
tamper-proof secure card implementing F. The public key 7T is set to the entire 
content of the card’s hardware (the algorithm A ) , and the secret key is the ran- 
domness used to generate the public key. The signing algorithm, upon receiving 
a message m, checks if m is of the form (pk, sk) which are valid public and secret 
key pairs for F. If so, output sc as appropriate for a tamper-proof-secure card for 
a user holding (pk, sk). To verify a signature sc on (pk, sk), the verifier checks if 
a card containing the hardware iT and the software sc would perform correctly 
as a signature card for (pk,sk) (this can be done by trying to sign). Accept if 
the check succeeds. 

Claim. There exists a secure signature scheme F such that, if its tamper-proof 
implementation exists, then Wp (described above) is a weak signature scheme 
secure against universal forgery in the face of a single known-message attack. 

Sketch of Proof. It suffices to show a secure signature scheme F and two mes- 
sages a and b such that given a valid signature of Wp on a, it is computationally 
infeasible to compute a valid signature on b. 

Consider any secure signature scheme comprised of Gen, Sig, Ver and a security 
parameter k. We define F = Gen^, Sig^ Ver^ as follows. 

— Gen^ runs Gen to obtain the key pair pk, sk. Let i? be a random string of 
length k. Let sk' = sko R and pk' = pk. 

— S\g {sk' ,m): for sk' = sk o R, if R ^ 0^, obtain a ^ Sig(sfc,m). Otherwise, 
output sk. 

— \/er'{pk,m,a) just runs the algorithm Ver. 

The resulting signature scheme F is secure as long as the original one was secure 
(the probability that R = 0^ happens to be chosen is negligible) . 

We now turn to Wp, and let a = {pk, skoR) and b = {pk, skoO’^) for some {pk, sk) 
generated by Gen and for R ^ 0^. Assume towards contradiction that given a 
signature sc = Wp{a) one could forge a signature sc = Wp{b) by applying some 
feasible function /. It follows that a card for F containing sc, can be tampered 
with to produce a forgery. Indeed, the adversary can apply / to the content 
of the card, thus resulting with sc which is valid for the key-pair {pk, sk o 0^). 
Now the adversary can issue a Run command on any message. The card extracts 

We note that security against universal forgery with known-message attacks is not 
a strong enough notion of security for signature schemes (the standard one, which 
is our default definition for signature security, is security against existential forgery 
in the face of adaptive chosen-message attacks [GMR88]). Nevertheless, this weak 
signature scheme already implies that there is some cryptographic key U which must 
be hardwired into the card, and thus in some sense “certifies” sc. 




Algorithmic Tamper-Proof (ATP) Security 269 



sk = sko 0*, runs on the selected message, resulting in the output sk. Now 
the adversary can forge signatures with respect to F (with respect to the original 
pk). This contradicts the tamper-proof security of the card. (Note that even if 
the card contains self-destruct capability, it is not useful since there is no way 
the card can detect any problem, as sc encodes a valid sk). □ 



3.3 ATP for Signature and Decryption Schemes 

In this section we show how to realize ATP for signature and decryption schemes. 
Our results meet the definitions of Section 2 in the model enhanced with public 
parameters and self-destruct (as shown necessary above). 

Consider a scheme T which is either a signature scheme or a public-key 
encryption scheme, and let sk be a secret signing or decryption key. We would 
like to store sk in the secret storage of the card, so that an adversary cannot 
tamper with it in any useful way. A very natural approach is for the card issuer 
to digitally sign sk and store the signature together with sk in sc, and have 
the card verify the signature against the issuer’s public key before using sk for 
signing or verifying. 

This is indeed the approach that we use, with a few details that need to be 
taken care of. First, as we already discussed, in order for this to work we must 
ensure that the card contains the public key of the issuer hardwired into its 
circuitry, and that the card self-destructs if the check does not succeed. However, 
it turns out that this is not enough: even if the card issuer uses a signature scheme 
secure against chosen message attack in the standard sense of [GMR88], we will 
see an attack that completely recovers sk. 

Instead, we will assume that the signature scheme used by the card is- 
suer satisfies a stronger property: not only is it hard to forge a signature on 
a new message, it is hard to forge a new signature on an old message. Although 
this is stronger than the traditional definition, most signature schemes known 
(c.f., [GMR88,FS87,GQ88,Sch91,CS99,GHR99]) already satisfy it. We call this 
notion strong security against chosen message attack (the formal definition is 
straight forward and omitted here). The scheme is described in Figure 1. 

Theorem 1. If strong unforgeahle signature schemes exist, then there exist ATP 
unforgeable signature schemes. Specifically, if I is a strong signature scheme, and 
F is a standard signature scheme (unforgeable against adaptive chosen message 
attack), then the implementation in Figure 1 is an ATP unforgeable signature 
scheme. 

The proof is given in the full version. Very briefly, the proof proceeds by con- 
structing a simulator that, for any adversary, launches an adaptive chosen mes- 
sage attack on the underlying signature scheme T . The simulator guesses which 
query of the adversary changes sc, and guesses that this query in fact replaced 
sc with some pair {sk' , an{sk')) which is one of the queries the adversary issued 
to the card issuer’s signing oracle. For these guesses, the simulator can now an- 
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Let X = (G, a, V) be a strong signature scheme (used by the card issuer). Let tF 
be either a signature scheme of the form tF = (Gen, Sig, Ver) or an encryption 
scheme of the form F- = (Gen, Enc, Dec), and let F be the algorithm Sig or 
Dec, respectively. Let {E,II) <— G{1^) be the secret and public signing keys 
of the card issuer, and let {sk,pk) ■(— Gen(l^) be secret and public (signing or 
encryption) keys for T . 

During card setup, J7 is hardwired into the card’s circuitry (as part of the 
algorithm below), and the pair (sfc, an{sk)) is stored in the protected memory 
sc (where o-n{-) = cr(X', •) is the issuer’s signing algorithm). 

Upon receiving a Run(a) query, the card performs the following algorithm: 

(1) Checks that the storage is of the form {sk, an{sk)) (using the verification 
algorithm V). 

(2) If so, run F{sk, a) (either signature or decryption) and output the result. 
Otherwise: self-destruct. 



Fig. 1. Tamper-Proofing a Signature or Decryption Scheme 



swer all of the adversary’s queries, as it knows the content of sc.® We then prove 
that either: (1) the simulator succeeds in producing a forgery with probability 
polynomially related to that of the adversary (thus breaking the underlying sig- 
nature scheme), or (2) another simulator can be constructed which produces a 
forgery to the card issuer’s signature scheme. 

Theorem 2. If CCA2 (resp., CCAl) secure encryption schemes and strong un- 
forgeable signature schemes exist, then there exist cryptosystems that are ATP 
CCA2-secure with lunchtime tampering (resp., ATP CCAl-secure). Specifically, 
if I is a strong signature scheme, and T is a CCA2 (resp., CCAl) secure en- 
cryption schemes, then the implementation in Figure 1 is secure against CCA2 
with lunch time tampering (resp., tamper-proof CCAl secure). 

The proof of this theorem is slightly more complicated than the proof for the 
signature scheme, but it follows the same general idea. It also appears in the full 
version of this paper. 

A strong signature scheme is necessary for this construction. The 

following attack works in the case where the issuer’s signature scheme is un- 
forgeable according to the traditional definition. In other words, assume that it 
is possible, given a valid message/signature pair (m, a), to construct a new valid 
pair (m, a') with a' yf u. 

® Intuitively, the only useful change to sc that the adversary can make is by replacing 
it with a signed pair. This is where the proof requires that the signature scheme for 
the issuer is strong: this property guarantees that the only signatures the adversary 
can get are exactly those directly queried, thus allowing the simulator to answer 
Apply queries from the adversary. 
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Assume that the issuer’s signature scheme has the following property: a sig- 
nature cr consists of two parts, CTi and 02 - The second component is ignored by 
the verification algorithm, which really uses only ui to authenticate messages. 
Thus, the pair (sfc, a) is stored on the card, where cr(cri, U 2 ) is the manufacturer’s 
signature on sk. 

The adversary does the following: first he obtains, from the issuer via a Setup 
query, a signature a' = (tr^jCr^) on a secret key sk' . Then he replaces the value 
(72 in the card, with the values (sfc, (Ti). Note that this will not have any effect 
on the card’s functionality and will not cause the card to self-destruct. Then for 
each bit ski of the secret key he will do the following: if ski = 0 then do nothing, 
otherwise replace sk with sk' , ai with a'^, but do not touch the modified (T 2 (this 
way a record of the old secret key remains). Now by simply querying the card on 
a given message m, the adversary will be able to see if sk or sk' is being used, 
and thus if ski = 0 or not. The adversary then restores sk and cti and repeats 
the above process for i + 1. 



On Private Card Setup. In the above solutions, we need to have the issuer’s 
signature on the secret key sk. It is important to note that this does not imply 
that the card’s issuer must know sk. Indeed, one solution is running generic 
secure two-party protocols [Yao82,GMW87,Gol98], as a result of which the user 
obtains an{sk), and the issuer obtains nothing. The proof of security can be 
extended to this case as well, by having the simulator extract the value sk from 
the adversary (who no longer sends sk in the clear to the signing oracle). The 
drawback of this general solution described above is that it may be expensive. 
Another existing solution is blind signatures. Although providing the desired 
property that the issuer learns nothing about sk, they are an overkill because 
neither does the issuer learn cr! A more efficient solution follows. 

Tight commitment scheme. Recall that a non-interactive commitment 
scheme Com is (informally) a function such that for all x, for a random r, it 
is hard to infer any information about x from the value Com(a;,r), and it is in- 
feasible to find (x,r) and {x',r') such that Com(x,r) = Com(x',r'), and x ^ x' . 
Let Com be a secure non-interactive commitment scheme with a special security 
property that is similar to the special security scheme of the signature scheme 
that we use for the device issuer. Namely, not only is it infeasible to open a 
commitment in two different ways, but it is infeasible to even find a value x and 
values r ^ r' such that Com(a;, r) = Com(a;, r'). Let us call a commitment scheme 
with this property a tight commitment scheme. Pedersen commitment [Ped92] 
is an example of a tight commitment scheme. 

Suppose that we are given a tight commitment scheme with an efficient zero- 
knowledge proof of knowledge of how to open a commitment. For example, the 
Pedersen commitment has such a protocol. Then the issuing protocol can be 
implemented as follows: the user forms a commitment c = Com(sfc,r). He then 
proves knowledge of the commitment opening. Finally, the issuer sends to the 
user the value a = an{c). The secret component sc of the device will consist of 
(sk,r,a). 
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The proof that a tight commitment scheme is necessary for the security of 
this construction is similar to the proof that a strong signature is necessary, and 
is omitted here. 

4 ATP via Restricted Classes of Functions 

In this section, we consider an adversary that is limited to issuing Apply com- 
mands from some restricted, yet useful, class of functions. It turns out that in this 
case, ATP results are possible even without self-destruct and public parameters. 

The results presented below have some practical significance, not only be- 
cause the model they require is more realistic (e.g., without the self-destruct 
requirement), but also since we address precisely such classes of functions that 
were successfully used before to attack existing systems [BS97,BDL01]. These 
include random hardware faults termed differential fault analysis, and flipping 
(or zapping) specified bits. Using our solutions, attacks like the above ones can 
be protected against. 

Since our definition of security requires the functionality of the card to re- 
main secure even when the adversary knows the PIN, we concentrate below on 
protecting the functionality of the card. Adding PIN protection can be done in 
a similar manner to our above general solutions. 

Differential Fault Analysis. The following results holds for cards with any cryp- 
tographic functionality, with neither self-destruct nor a hardwired external key. 

Suppose the adversary is limited to the following attack: He specifies two 
values PojPi G [OT]- fpo,pA^) transforms each bit Xj of x as follows: if Xi = b, 
leave it that way with probability pb otherwise flip it. Note that this transfor- 
mation is exactly the same for each bit. (In information-transmission terms, this 
transformation can be viewed as sending x through an adversarial memoryless 
channel.) 

Although seemingly benign compared to other attacks we have considered, 
this is in fact a very powerful attack, invented by Biham and Shamir [BS97] 
(following Boneh, DeMillo, and Lipton[BDL01]), and known as the differential 
fault analysis. Biham and Shamir use it to recover the entire secret key of a 
decryption card, such as DES.® 

Securing a smart-card against such an attack does not require any enhance- 
ment to the minimal model. Rather, we can just encode the secret s using an 
error-detecting code whose distance d is such that 1/2^^ is negligible. Before run- 
ning its intended application, the card sees if there are any errors in its storage. 
If so, it does nothing, otherwise, it works as intended. 

It is easy to see that this is sufficient, because if the card’s storage changes, 
it is very unlikely that it will change into a valid encoding; therefore, a simulator 
that just computes the probability that the card is unusable after a given Apply 
query and acts accordingly is sufficient for the proof. 



Their attack uses asymmetric memory, where po — I, and pi is relatively large, but 
less than 1. That is, a bit which is 1 has a small non-negligible probability to flip. 




Algorithmic Tamper-Proof (ATP) Security 273 



We note that using error-detecting codes follows the approach alluded to by 
Boneh, DeMillo, and Lipton [BDLOl], who suggest that a cryptographic compu- 
tation needs to be checked before the output is given. 

The Flip Function in the Model Without Self-Destruct. Suppose the external 
public key of the issuer is wired in, but there is no self-destruct. 

Consider the function Flip(a:,f) = x' where x' is equal to x in all the bits 
except the one which is complemented. (This generalizes differential fault 
analysis by giving the adversary control over which bits to flip, and the certainty 
that the bit has been flipped). If the adversary is limited to issuing commands 
of the form Apply(Flip(a;, i)), then the self-destruction property is not required. 

Suppose sk is the secret that needs to be stored on the card. Each bit ski of 
sk is encoded using two random bits, and ej^2 such that © ej^2 = ski. The 
resulting encoding, e{sk), is then signed by the card manufacturer. The values 
(e, cr(e)) are stored on the card. 

For each Run command, the card first checks that in its storage, (e, cr), a is 
a valid signature on e. If so, the card reconstructs the secret key sk from e(sfc) 
and performs whatever operation is required. Otherwise, the card does nothing. 

A sketch of the proof that the latter solution provides ATP security against 
an adversary limited to flipping bits can be found in the full version of this paper. 



5 ATP of Devices Using PIN Numbers 

We saw that security of portable devices, such as smart-cards, provides strong 
motivation for considering ATP security. Indeed, one goal is to prevent an adver- 
sary capable of tampering with the device from learning information about its 
contents, so that such an adversary cannot duplicate and distribute devices with 
the same functionality (e.g., decryption cards for pay-tv applications). However, 
it is also often desirable to prevent the adversary from using the functionality of 
the device himself. 

To address this problem, we propose that the device be augmented with a 
short memorizable PIN to be entered by the user before any application. That is, 
a Run query, where it previously took one input, now should take two: the PIN 
and the input (such as a message m to be signed) . The device will only function 
if the PIN entered is correct, and, moreover, it will permanently stop functioning 
(or self-destruct) after a certain (not too big) number of wrong attempts. This 
can be implemented by a counter which is incremented with every failed attempt. 
We may consider a model where the device self-destructs once the counter has 
reached a certain number. A better model, but harder to achieve, is one where 
the number of consecutive wrong attempts is also limited (this limit could then 
be very small, such as 3). 

As a starting point, assume that the adversary cannot tamper with the 
counter implementation. In this case, all the results we saw so far can be ex- 
tended to the PIN setting, by considering the PIN as part of the secret key. In 
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particular, in the model with public parameters the signature of the card issuer 
will be on the secret key together with the PIN . 

We now turn to addressing the implementation of the counter. Clearly, if the 
counter is kept in regular tamperable memory, the adversary can recover the PIN 
by trying all possible PIN combinations, zeroing the counter after each failure. 
In order to avoid this attack, we suggest two types of counter implementations. 

Hardware Implementation. In some situations it may be reasonable to assume 
that the counter is implemented in hardware, in such a way that the adversary 
cannot tamper with it. Note that this assumption is more reasonable than as- 
suming all of the secret key is in non-tamperable hardware. Indeed, the counter 
mechanism is the same for all cards, and is not secret, making it easier to mass 
produce on hardware. However, the counter (unlike our other public parameters) 
cannot be implemented by a write-once memory, since it needs to be incremented 
with every failed attempt. This can be addressed by using an asymmetric type 
of memory, where incrementing (e.g. by zeroing one bit) is easy, while undoing 
it is very hard. For example, an operation akin to cutting a wire would be very 
appropriate. We note that [BS97] also use, in a different way, an asymmetric 
type of memory where flipping a bit from 1 to 0 is much easier than flipping it 
from 0 to 1. 

Counter Implementation in Tamperable Memory. Consider now the case that 
the counter can only be implemented in regular (tamperable) memory. Below 
we provide a solution which is tamper-proof secure, based on any one-way permu- 
tation. In the full version we generalize the idea to construct a solution based on 
any forward-secure digital signature scheme. This generalization provides more 
flexibility in obtaining good trade-offs among the time and space parameters 
according to the constraints of the given application, and can allow for better 
performance overall. All our solutions rely on the mechanisms of self-destruct 
and public parameters, as described in previous sections. We start by assuming 
that the model requires a limit M on the total number of failed attempts. 

Intuitively, our goal is to construct a counter such that even a tampering 
adversary can only increment it (or destroy it), but not decrease it. Consequently, 
such an adversary will not be able to try more than the specified number of 
guesses for the PIN before the device self-destructs. Our solution will use the 
existence of one-way permutations, namely, informally, permutations which are 
easy to compute but hard to invert (for formal definitions see, e.g., [GolOl]). 

It works as follows: Let / be a one-way permutation, and let M be the total 
number of failed attempts we are willing to tolerate. Let i?o be a random string 
from the domain of /, generated by the Setup algorithm. For j = 1, . . . ,M we 
define Rj = f{Rj-i), namely Rj = f^{Ro). The setup algorithm will output 
counter value (i?O;0) as part of the secret component sc, and the value Rm 
to be stored and signed together with sk and the PIN. Every failed attempt 
to enter the PIN will result in replacing the current counter value (Ri,i) with 

(/(i?,)c + i). 
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Every time the device is invoked, it checks the validity of the current value 
in the counter, and in particular whether = Rm- This can generally 

be done by applying f M — j times. Depending on /, this computation may be 
done much more efficiently. For instance, assume / is the Rabin function, namely 
squaring modulo a product of two Blum primes, or the RSA function with a 
small exponent (both are standard candidates for a one-way permutations). In 
this case, raising a number to a small power T times can be done efficiently, 
requiring O(logT) multiplications. 

A more detailed description and proof of security are given in the full ver- 
sion, where we also give a more general implementation based on forward-secure 
signatures. 

Limiting the Number of Consecutive Failed Attempts. Limiting the number of 
consecutive failed attempts to some small number m can be done whenever the 
adversary is restricted to a certain class of functions, which does not include 
functions allowing to update the counter (e.g., in our solution above, the one- 
way permutation / or any power of it). In this case, we can change the device 
algorithm as follows: Before the validity check, check whether the counter value 
modm = 0 and if so self-destruct. Also, after the PIN check step, if the PIN is 
correct, update the counter to the next value which equals 1 mod m. 

It is not hard to prove that this implementation is ATP secure against a 
restricted adversary which cannot apply the update function. We leave it as an 
open problem to construct general tamper-proof counters which limit number of 
consecutive failed attempts (or conversely to prove that this is not possible in 
this strong model). 
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Abstract. Complexity-theoretic cryptography considers only abstract 
notions of computation, and hence cannot protect against attacks that 
exploit the information leakage (via electromagnetic fields, power con- 
sumption, etc.) inherent in the physical execution of any cryptographic al- 
gorithm. Such “physical observation attacks” bypass the impressive bar- 
rier of mathematical security erected so far, and successfully break math- 
ematically impregnable systems. The great practicality and the inherent 
availability of physical attacks threaten the very relevance of complexity- 
theoretic security. 

To respond to the present crisis, we put forward physically observable 
cryptography: a powerful, comprehensive, and precise model for defining 
and delivering cryptographic security against an adversary that has ac- 
cess to information leaked from the physical execution of cryptographic 
algorithms. Our general model allows for a variety of adversaries. In this 

paper, however, we focus on the strongest possible adversary, so as to 
capture what is cryptographically possible in the worst possible, physi- 
cally observable setting. In particular, we 

— consider an adversary that has full (and indeed adaptive) access to 
any leaked information; 

— show that some of the basic theorems and intuitions of traditional 
cryptography no longer hold in a physically observable setting; and 

— construct pseudorandom generators that are provably secure against 
all physical-observation attacks. 

Our model makes it easy to meaningfully restrict the power of our general 
physically observing adversary. Such restrictions may enable schemes 
that are more efficient or rely on weaker assumptions, while retaining 
security against meaningful physical observations attacks. 
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1 Introduction 

“Non-Physical” Attacks. A non-physical attack against a cryptographic 
algorithm A is one in which the adversary is given some access to (at times even 
full control over) A’s explicit inputs (e.g., messages and plaintexts) and some 
access to A’s outputs (e.g., ciphertexts and digital signatures). The adversary 
is also given full knowledge of A — except, of course, for the secret key — but 
absolutely no “window” into A’s internal state during a computation: he may 
know every single line of A’s code, but whether A’s execution on a given input 
results in making more multiplications than additions, in using lots of RAM, 
or in accessing a given subroutine, remains totally unknown to him. In a non- 
physical attack, A’s execution is essentially a black box. Inputs and outputs may 
be visible, but what occurs within the box cannot be observed at all. 

For a long time, due to lacking cryptographic theory and the consequent naive 
design of cryptographic algorithms, adversaries had to search no further than 
non-physical attacks for their devious deeds. (For instance, an adversary could 
often ask for and obtain the digital signature of a properly chosen message and 
then forge digital signatures at will.) More recently, however, the sophisticated 
reduction techniques of complexity-theoretic cryptography have shut the door to 
such attacks. For instance, if one-way functions exist, fundamental tools such as 
pseudorandom generation [17] and digital signatures [27,24] can be implemented 
so as to be provably secure against all non-physical attacks. 

Unfortunately, other realistic and more powerful attacks exist. 
“Physical-Observation” Attacks. In reality, a cryptographic algorithm A 
must be run in a physical device P, and, quite outside of our control, the laws of 
Nature have something to say on whether P is reducible to a black box during 
an execution of A. Indeed, like for other physical processes, a real algorithmic 
execution generates all kinds of physical observables, which may thus fall into 
the adversary’s hands, and be quite informative at that. For instance, Kocher 
et al. [20] show that monitoring the electrical power consumed by a smart card 
running the DES algorithm [25] is enough to retrieve the very secret key! In an- 
other example, a series of works [26,2] show that sometimes the electromagnetic 
radiation emitted by a computation, even measured from a few yards away with 
a homemade antenna, could suffice to retrieve a secret key. 

Physically Observable Cryptography. Typically, physical-observation at- 
tacks are soon followed by defensive measures (e.g., [9,19]), giving us hope that 
at least some functions could be securely computed in our physical world. How- 
ever, no rigorous theory currently exists that identifies which elementary func- 
tions need to be secure, and to what extent, so that we can construct complex 
cryptographic systems provably robust against all physical-observation attacks. 
This paper puts forward such a theory. 
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Our theory is not about “shielding” hardware (neither perfectly^ nor par- 
tially^) but rather about how to use partially shielded hardware in a provably 
secure manner. That is, we aim at providing rigorous answers to questions of 
the following relative type: 

(1) Given a piece of physical hardware V that is guaranteed to compute a specific, 
elementary function f{x) so that only some information L-pj{x) leaks to the 
outside, 

is it possible to construct 

(2) a physical pseudorandom generator, encryption scheme, etc., provably secure 
against all physically-observing adversaries? 

Notice that the possibility of such reductions is far from guaranteed: hardware 
V is assumed “good” only for computing /, while any computation outside V 
(i.e., beyond /) is assumed to be fully observable by the adversary. 

Providing such reductions is important even with the current, incomplete 
knowledge about shielding hardware.^ In fact, physically observable cryptogra- 
phy may properly focus the research in hardware protection by identifying which 
specific and elementary functions need to be protected and how much. 

A New and General Model. Physically observable cryptography is a new 
and fascinating world defying our traditional cryptographic intuition. (For exam- 
ple, as we show, such fundamental results as the equivalence of unpredictability 
and indistinguishability for pseudorandom generators [30] fail to hold.) Thus, as 
our first (and indeed main) task, we construct a precise model, so as to be able 
to reason rigorously. 

There are, of course, many possible models for physically observable cryp- 
tography, each rigorous and meaningful in its own right. How do we choose? 
We opted for the most pessimistic model of the world that still leaves room for 
cryptography. That is, we chose a very general model for the interplay of phys- 
ical computation, information leakage, and adversarial power, trying to ensure 
that security in our model implies security in the real world, no matter how 
unfriendly the latter turns out to be (unless it disallows cryptographic security 
altogether) . 

First Results in the General Model. A new model is of interest only 
when non-trivial work can be done within its confines. We demonstrate that this 
is the case by investigating the fundamental notion of pseudorandom generation. 
In order to do so, we provide physically-observable variants of the traditional def- 
initions of one-way functions, hardcore bits, unpredictability and indistinguisha- 
bility. Already in the definitions stage, our traditional intuition is challenged by 

^ Perfectly shielded hardware, so that all computation performed in it leaks nothing 
to the outside, might be impossible to achieve and is much more than needed. 

^ We are after a computational theory here, and constructing totally or partially 
shielded hardware is not a task for a computational theorist. 

® Had complexity-theoretic cryptography waited for a proof of existence of one-way 
functions, we would be waiting still! 
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the unexpected behavior of these seemingly familiar notions, which is captured 
by several (generally easy to prove) claims and observations. 

We then proceed to the two main theorems of this work. The first theo- 
rem shows that unpredictable physically observable generators with arbitrary 
expansion can be constructed from any (properly defined) physically observable 
one-way permutation. It thus provides a physically observable analogue to the 
results of [13,7] in the traditional world. Unfortunately, this construction does 
not result in indistinguishable physically observable generators. 

Our second main theorem shows that indistinguishable physically observable 
generators with arbitrary expansion can be constructed from such generators 
with 1-bit expansion. It is thus the equivalent of the hybrid argument (a.k.a. 
“statistical walk”) of [15]. 

Both of these theorems require non-trivial proofs that differ in significant 
ways from their traditional counterparts, showing how different the physically 
observable world really is. 

Specialized Models. The generality of our model comes at a price: results in 
it require correspondingly strong assumptions. We wish to emphasize, however, 
that in many settings (e.g., arising from advances in hardware manufacturing) it 
will be quite meaningful to consider specialized models of physically observable 
cryptography, where information leakage or adversarial power are in some way 
restricted. It is our expectation that more efficient results, or results relying on 
lesser assumptions, will be awaiting in such models. 

Passive vs. Active Physical Adversaries. Traditional cryptography has 
benefited from a thorough understanding of computational security against pas- 
sive adversaries before tackling computational security against active adver- 
saries. We believe similar advantages can be gained for physical security. Hence, 
for now, we consider physically observing adversaries only. Note, however, that 
our adversary has a traditional computational component and a novel physical 
one, and we do not start from scratch in its computational component. Indeed, 
our adversary will be computationally quite active (e.g., it will be able to adap- 
tively choose inputs to the scheme it attacks), but will be passive in its physical 
component (i.e., it will observe a physical computation without tampering with 
it). Attacks (e.g., [4,8,6,5,28]), defenses (e.g., [26,23]), and models (e.g., [12]) 
for physically active adversaries are already under investigation, but their full 
understanding will ultimately depend on a full understanding of the passive case. 

Other Related Work. We note that the question of building protected hard- 
ware has been addressed before with mathematical rigor. In particular, Chari, 
Jutla, Rao and Rohatgi [9] consider how to protect a circuit against attackers 
who receive a noisy function of its state (their motivation is protection against 
power analysis attacks). Ishai, Sahai and Wagner [18] consider how to guarantee 
that adversaries who can physically probe a limited number of wires in a circuit 
will not be able to learn meaningful information from it. This line of research is 
complementary to ours: we consider reductions among physical computing de- 
vices in order to guarantee security against all physical observation attacks under 
some assumptions, whereas the authors of [9] and [18] consider how to build par- 
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ticular physical computing devices secure against a particular class of physical 
observations attacks. In a way, this distinction is analogous to the distinction in 
traditional cryptography between research on cryptographic reductions on the 
one hand, and research on finding instantiations of secure primitives (one-way 
functions, etc.) on the other. 

2 Intuition for Physically Observable Computation 

Our model for physically observable (PO for short) computation is based on the 
following (overlapping) 



Informal Axioms 

1. Computation, and only computation, leaks information 

Information may leak whenever bits of data are accessed and computed 
upon. The leaking information actually depends on the particular operation 
performed, and, more generally, on the configuration of the currently active 
part of the computer. However, there is no information leakage in the absence 
of computation: data can be placed in some form of storage where, when not 
being accessed and computed upon, it is totally secure. 

2. Same computation leaks different information on different computers 
Traditionally, we think of algorithms as carrying out computation. However, 
an algorithm is an abstraction: a set of general instructions, whose physi- 
cal implementation may vary. In one case, an algorithm may be executed 
in a physical computer with lead shielding hiding the electromagnetic radi- 
ation correlated to the machine’s internal state. In another case, the same 
algorithm may be executed in a computer with a sufficiently powerful in- 
ner battery hiding the power utilized at each step of the computation. As a 
result, the same elementary operation on 2 bits of data may leak different 
information: e.g., (for all we know) their XOR in one case and their AND in 
the other. 

3. Information leakage depends on the chosen measurement 

While much may be observable at any given time, not all of it can be observed 
simultaneously (either for theoretical or practical reasons), and some may be 
only observed in a probabilistic sense (due to quantum effects, noise, etc.). 
The specific information leaked depends on the actual measurement made. 
Different measurements can be chosen (adaptively and adversarially) at each 
step of the computation. 

4. Information leakage is local 

The information that may be leaked by a physically observable device is 
the same in any execution with the same input, independent of the com- 
putation that takes place before the device is invoked or after it halts. In 
particular, therefore, measurable information dissipates: though an adver- 
sary can choose what information to measure at each step of a computation, 
information not measured is lost. Information leakage depends on the past 
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computational history only to the extent that the current computational 
configuration depends on such history. 

5. All leaked information is efficiently computable from the computer’s internal 
configuration. 

Given an algorithm and its physical implementation, the information leakage 
is a polynomial-time computable function of (1) the algorithm’s internal con- 
figuration, (2) the chosen measurement, and possibly (3) some randomness 
(outside anybody’s control). 



Remarks 

As expected, the real meaning of our axioms lies in the precise way we use them 
in our model and proofs. However, it may be worthwhile to clarify here a few 
points. 

— Some form of security for unaccessed memory is mandatory. For instance, if 
a small amount of information leakage from a stored secret occurs at every 
unit of time (e.g., if a given bit becomes 51% predictable within a day) then 
a patient enough adversary will eventually reconstruct the entire secret. 

— Some form of security for unaccessed memory is possible. One may object 
to the requirement that only computation leaks information on the grounds 
that in modern computers, even unaccessed memory is refreshed, moved from 
cache and back, etc. However, as our formalization below shows, all we need 
to assume is that there is some storage that does not leak information when 
not accessed. If regular RAM leaks, then such storage can be the hard drive; 
if that also leaks, use flash memory; etc. 

— Some form of locality for information leakage is mandatory. The hallmark 
of modern cryptography has been constructing complex systems out of basic 
components. If the behavior of these components changed depending on the 
context, then no general principles for modular design could arise. Indeed, if 
corporation A produced a properly shielded device used in computers build 
by corporation B, then corporation B should not damage the shielding on 
the device when assembling its computers. 

— The restriction of a single adversarial measurement per step should not mis- 
interpreted. If two measurements Mi and M 2 can be “fruitfully” performed 
one after the other, our model allows the adversary to perform the single 
measurement M = {Mi, M 2 ). 

— The polynomial-time computability of leaked information should not be mis- 
interpreted. This efficient computability is quite orthogonal to the debate on 
whether physical (e.g., quantum) computation could break the polynomial- 
time barrier. Essentially, our model says that the most an adversary may 
obtain from a measurement is the entire current configuration of the cryp- 
tographic machine. And such configuration is computable in time linear in 
the number of steps executed by the crypto algorithm. For instance, if a 
computer stores a Hamiltonian graph but not its Hamiltonian tour, then 
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performing a breadth-first search on the graph should not leak its Hamilto- 
nian tour. 

(Of course, should an adversary more powerful than polynomial-time be 
considered, then the power of the leakage function might also be increased 
“accordingly.”) 

Of course, we do not know that these axioms are “exactly true”, but definitely 
hope to live in a world that “approximates” them to a sufficient degree: life 
without cryptography would be rather dull indeed! 

3 Models and Goals of Physically Observable 
Cryptography 

Section 3.1 concerns itself with abstract computation, not yet its physical im- 
plementation. Section 3.2 describes how we model physical implementations of 
such abstract computation. Section 3.3 defines what it means, in our model, to 
build high-level constructions out of low-level primitives. 

3.1 Computational Model 

Motivation. Axiom 1 guarantees that unaccessed memory leaks no informa- 
tion. Thus we need a computing device that clearly separates memory that is 
actively being used from memory that is not. The traditional Turing machine, 
which accesses its tape sequentially, is not a suitable computational device for 
the goal at hand: if the reading head is on one end of the tape, and the ma- 
chine needs to read a value on the other end, it must scan the entire tape, thus 
accessing every single memory value. We thus must augment the usual Turing 
machine with random access memory, where each bit can be addressed individ- 
ually and independently of other bits, and enable the resulting machine to copy 
bits between this random-access memory and the usual tape where it can work 
on them. (Such individual random access can be realistic implemented.) 

Axiom 4 guarantees that the leakage of a given device is the same, inde- 
pendent of the computation that follows or precedes it. Thus we need a model 
that can properly segregate one portion of a computation from another. The 
traditional notion of computation as carried out by a single Turing machine is 
inadequate for separating computation into multiple independent components, 
because the configuration of a Turing machine must incorporate (at a minimum) 
all future computation. To enable the modularity of physically observable cryp- 
tography, our model of computation will actually consist of multiple machines, 
each with its own physical protection, that may call each other as subroutines. 
In order to provide true independence, each machine must “see” its own memory 
space, independent of other machines (this is commonly known as virtual mem- 
ory). Thus our multiple machines must be accompanied by a virtual memory 
manager that would provide for parameter passing while ensuring memory inde- 
pendence that is necessary for modularity. (Such virtual memory management 
too can be realistically implemented.) 
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Formalization Without Loss of Generality. Let us now formalize this 
model of computation (without yet specifying how information may leak). A 
detailed formalization is of course necessary for proofs to be meaningful. This is 
particularly true in the case of a new theory, where no strong intuition has yet 
been developed. However, the particular choice of these details is not crucial. Our 
theorems are robust enough to hold also for different reasonable instantiations 
of this model. 

Abstract Virtual-Memory Computers. An abstract virtual-memory com- 
puter, or abstract computer for short, consists of a collection of special Tur- 
ing machines, which invoke each other as subroutines and share a special 
common memory. We call each member of our collection an abstract virtual- 
memory Turing machine (abstract VTM or simply VTM for short). We write 
A = (Ai, . . . ,An) to mean that an abstract computer A consists of abstract 
VTMs Ai, , An, where A\ is a distinguished VTM: the one invoked first and 
whose inputs and outputs coincide with those of A. Note that abstract comput- 
ers and VTMs are not physical devices: they represent logical computation, may 
have many different physical implementations. We consider physical computers 
in Section 3.2, after fully describing logical computation. 

In addition to the traditional input, output, work and random tapes of a 
probabilistic Turing machine, a VTM has random access to its own virtual ad- 
dress space (VAS): an unbounded array of bits that starts at address 1 and goes 
on indefinitely. 

The salient feature of an abstract virtual memory computer is that, while 
each VTM “thinks” it has its own individual VAS, in reality all of them, via a 
proper memory manager, share a single physical address space (PAS). 
Virtual-Memory Management. As it is common in modern operating sys- 
tems, a single virtual-memory manager (working in polynomial time) supervises 
the mapping between individual VASes and the unique PAS. The virtual- memory 
manager also allows for parameter passing among the different VTMs. 

When a VTM is invoked, from its point of view every bit in its VAS is 
initialized to 0, except for those locations where the caller placed the input. The 
virtual-memory manager ensures that the VAS of the caller is not modified by 
the callee, except for the callee’s output values (that are mapped back into the 
caller’s VAS). 

Virtual-memory management is a well studied subject (outside the scope 
of cryptography), and we shall refrain from discussing it in detail. The only 
explicit requirement that we impose onto our virtual-memory manager is that it 
should only remap memory addresses, but never access their content. (As we shall 
discuss in later sections, this requirement is crucial to achieving cryptographic 
security in the physical world, where each memory access may result in a leakage 
of sensitive information to the adversary.) 

Accessing Virtual Memory. If A is a VTM, then we denote by mA the 
content of A’s VAS, and, for a positive integer j, we denote by mA[j] the bit 
value stored at location j. Every VTM has an additional, special VAS-access 
tape. To read the bit mA[j], A writes down j on the VAS-access tape, and enters 
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a special state. Once A is in that state, the value mA[j] appears on the VAS- 
access tape at the current head position (the mechanics of this are the same as 
for an oracle query). To write a bit b in location j in its VAS, A writes down 
(j, b) on the VAS-access tape, and enters another special state, at which point 
mA[j] gets set to b. 

Note that this setup allows each machine to work almost entirely in VAS, and 
use its work tape for merely computing addresses and evaluating simple gates. 
Inputs and Outputs of a VTM. All VTM inputs and outputs are binary 
strings always residing in virtual memory. Consider a computation of a VTM A 
with an input i of length i and an output o of length L. Then, at the start of 
the computation, the input tape of A contains 1^, the unary representations of 
the input length. The input i itself is located in the first I bit positions of A’s 
VAS, which will be read-only to A. At the end of the computation, A’s output 
tape will contain a sequence of L addresses, 6i, . . . , and o itself will be in 
A’s VAS: o = niA[bi] ■ ■ ■ mA[bL]- (The reason for input length to be expressed in 
unary is the preservation of the notion of polynomial running time with respect 
to the length of the input tape.) 

Calling VTMs as Subroutines. Each abstract VTM in the abstract virtual- 
memory computer has a unique name and a special subroutine- call tape. When 
a VTM Al makes a subroutine call to a VTM A, A! specifies where A' placed 
the input bits to A and where A! wants the output bits of A, by writing the 
corresponding addresses on this tape. The memory manager remaps locations 
in the VAS of A' to the VAS of A and vice versa. Straightforward details are 
provided in the full version of the paper. 

3.2 Physical Security Model 

Physical Virtual-Memory Computers. We now formally define what in- 
formation about the operation of a machine can be learned by the adversary. 
Note, however, that an abstract virtual-memory computer is an abstract object 
that may have different physical implementations. To model information leak- 
age of any particular implementation, we introduce a physical virtual-memory 
computer (physical computer for short) and a physical virtual-memory Turing 
machine (physical VTM for short). A physical VTM V is a pair (L,A), where 
A is an abstract VTM and L is the leakage function described below. A physi- 
cal VTM is meant to model a single shielded component that can be combined 
with others to form a computer. If A = (Ai, A 2 , . . . , A„) is an abstract com- 
puter and Pi = (Li,Ai), then we call Pi a physical implementation of Aj and 
V = (Pi, P 2 ) ■ • ■ Pn) a physical implementation of A. 

If a physical computer V is deterministic (or probabilistic, but Las Vegas), 
then we denote by fv{x) the function computed by V on input x. 

The Leakage Function. The leakage function L of a physical VTM P = 
(P, A) is a function of three inputs, L = P(-, •, •). 

~ The first input is the current internal configuration C of A, which incor- 
porates everything that is in principle measurable. More precisely, C is a 
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binary string encoding (in some canonical fashion) the information of all the 
tapes of A, the locations of all the heads, and the current state (but not the 
contents of its VAS itia)- We require that only the “touched” portions of 
the tapes be encoded in C, so that the space taken up by C is polynomially 
related to the space used by T (not counting the VAS space). 

— The second input M is the setting of the measuring apparatus, also encoded 
as a binary string (in essence, a specification of what the adversary chooses 
to measure). 

— The third input i? is a sufficiently long random string to model the random- 
ness of the measurement. 

By specifying the setting M of its measuring apparatus, while A is in configu- 
ration (7, the adversary will receive information L{C, M, R), for a fresh random 
R (unknown to the adversary). 

Because the adversary’s computational abilities are restricted to polynomial 
time, we require the function L{C, M, R) to be computable in time that is poly- 
nomial in the lengths of C and M. 

The Adversary. Adversaries for different cryptographic tasks can be quite 
different (e.g., compare a signature scheme adversary to a pseudorandom gener- 
ator distinguisher) . However, we will augment all of the them in the same way 
with the ability to observe computation. We formalize this notion below. 

Definition 1. We say that the adversary F observes the computation of a phys- 
ical computer V = (Pi, P 2 , . . . , P„), where Pi = {Li, Ai) if: 

1. F is invoked before each step of a physical VTM ofV, with configuration of 
F preserved between invocations. 

2. F has a special read-only name tape that contains the name of the physical 
VTM Pi ofV that is currently active. 

3. At each invocation, upon performing some computation, F writes down a 
string M on a special observation tape, and then enters a special state. 
Then the value Li{C, M, R) , where Pi is the currently active physical VTM 
and R is a sufficiently long fresh random string unknown to F, appears on 
the observation tape, and V takes its next step. 

4 . This process repeats until V halts. At this point F is invoked again, with its 
name tape containing the index 0 indicating that V halted. 

Notice that the above adversary is adaptive: while it cannot go back in time, its 
choice of what to measure in each step can depend on the results of measurements 
chosen in the past. Moreover, while at each step the adversary can measure only 
one quantity, to have a strong security model, we give the adversary all the 
time it needs to obtain the result of the previous measurement, decide what to 
measure next, and adjust its measuring apparatus appropriately. 

Suppose the adversary F running on input xp observes a physical computer 
V running on input x-p, then V halts and produces output yp, and then F halts 
and produces output yp. We denote this by 



yp ^ V{xp) ^ F{xp) -)> yp . 
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Note that F sees neither x-p nor yp (unless it can deduce these values indirectly 
by observing the computation). 



3.3 Assumptions, Reductions, and Goals 

In addition to traditional, complexity-theoretic assumptions (e.g., the existence 
of one-way permutations), physically observable cryptography also has physical 
assumptions. Indeed, the very existence of a machine that “leaks less than com- 
plete information” is an assumption about the physical world. Let us be more 
precise. 

Definition 2. A physical VTMs is trivial if its leakage function reveals its entire 
internal configuration'^ and non-trivial otherwise. 

Fundamental Premise. The very existence of a non-trivial physical VTM is 
a physical assumption. 

Just like in traditional cryptography, the goal of physically observable cryp- 
tography is to rigorously derive desirable objects from simple (physical and com- 
putational) assumptions. As usual, we refer to such rigorous derivations as re- 
ductions. Reductions are expected to use stated assumptions, but should not 
themselves consist of assumptions! 

Definition 3. Let V' and V he physical computers. We say that V' reduces to 
V (alternatively, V implies V' ) if every non-trivial physical VTM of V is also 
a physical VTM ofV. 



4 Definitions and Observations 

Having put forward the rules of physically observable cryptography, we now need 
to gain some experience in distilling its first assumptions and constructing its 
first reductions. 

We start by quickly recalling basic notions and facts from traditional cryp- 
tography that we use in this paper. 

4.1 Traditional Building Blocks 

We assume familiarity with the traditional GMR notation (recalled in our Ap- 
pendix A). 

We also assume familiarity with the notions of one-way function [10] and 
permutation; with the notion of of hardcore bits [7] ; with the fact that all one- 
way functions have a Goldreich-Levin hardcore bit [13]; and with the notion of 

It suffices, in fact, to reveal only the current state and the characters observed by the 
reading heads — the adversary can infer the rest by observing the leakage at every 
step. 
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a natural hardcore bit (one that is simply a bit of the input, such as the last bit 
of the RSA input [3]). Finally, recall the well-known iterative generator of Blum 
and Micali [7], constructed as follows: 

iterate a one-way permutation on a random seed, outputting the hardcore bit 
at each iteration. 

(All this traditional material is more thoroughly summarized in the full version 
of the paper.) 



4.2 Physically Observable One-Way Functions and Permutations 

Avoiding a Logical Trap. In traditional cryptography, the existence of a 
one-way function is currently an assumption, while the definition of a one-way 
function does not depend on any assumption. We wish that the same be true 
for physically observable one-way functions. Unfortunately, the most obvious 
attempt to defining physically observable one-way functions does not satisfy 
this requirement. The attempt consists of replacing the Turing machine T in the 
one-way function definition with a physical computer V observed by F . Precisely, 

Definition Attempt: A physically observable (PO) one-way functions is a func- 
tion / : {0,1}* — >■ {0,1}* such that there exists a polynomial-time physical 
computer V that computes / and, for any polynomial-time adversary F, the 
following probability is negligible as a function of k: 

Pr[x A {0, 1}^ ; y ^ Fix) ^ F(l^) — >■ state ; z ^ F{state,y) : f{z) = y]. 



Intuitively, physically observable one-way functions should be “harder to 
come by” than traditional ones: unless no traditional one-way functions exist, 
we expect that only some of them may also be PO one-way. Recall, however, 
that mathematically a physical computer V consists of pairs (L, A), where L is a 
leakage function and A an abstract VTM, in particular a single Turing machine. 
Thus, by setting L be the constant function 0, and A = {T}, where T is the 
Turing machine computing /, we obtain a non-trivial computer V = {(L, A)} 
that ensures that / is PO one-way as soon as it is traditionally one-way. The 
relevant question, however, is not whether such a computer can be mathemat- 
ically defined, but whether it can be physically built. As we have said already, 
the mere existence of a non-trivial physical computer is in itself an assumption, 
and we do not want the definition of a physically observable one-way function to 
rely on an assumption. Therefore, we do not define what it means for a function 
f to be physically observable one-way. Rather, we define what it means for a 
particular physical computer computing f to be one-way. 

We shall actually introduce, in order of strength, three physically observable 
counterparts of traditional one-way functions and one-way permutations. 
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Minimal One-Way Functions and Permutations. Avoiding the logical 
trap discussed above, the first way of defining one-way functions (or permuta- 
tions) in the physically observable world is to say that P is a one-way function if 
it computes a permutation /p that is hard to invert despite the leakage from P’s 
computation. We call such physically observable one-way functions and permu- 
tations “minimal” in order to distinguish them from the other two counterparts 
we are going to discuss later on. 

Definition 4. A polynomial-time deterministic physical computer V is minimal 
one-way function if for any polynomial-time adversary F, the following proba- 
bility is negligible as a function of k: 

Pr[x A {0, 1}^ ; y ^ 'P{x) ^ F(l^) — >• state ; z ^ F{state, y) : /p(z) = y]. 

Furthermore, if f-p is length-preserving and bijective, we call V a minimal 
one-way permutation. 

Durable Functions and Permutations. A salient feature of an abstract 
permutation is that the output is random for a random input. The following 
definition captures this feature, even in the presence of computational leakage. 

Definition 5. A durable function (permutation) is a minimal one-way function 
(permutation) V such that, for any polynomial-time adversary F, the value \p(( — 
p(f\ is negligible in k, where 

pO = Pr[a; A {0, 1}* ; y ^ V^x) F(l^) — >• state : F{state, y) = 1] 
pf = Pi[x A {0, 1}'’’ ; 2 / ^ V{x) ^ state ; z {0, 1}'= .- 

F{state, z) = 1] . 

Maximal One-Way Functions and Permutations. We now define physi- 
cally observable one-way functions that leak nothing at all. 

Definition 6. A maximal one-way function (permutation) is a minimal one- 
way function (permutation) V such that the leakage functions of its component 
physical VTMs are independent of the input x of V (in other words, x has no 
effect on the distribution of information that leaks). 

One can also define statistically maximal functions and permutations, where 
for any two inputs x\ and X 2 , the observed leakage from 'P{xi) and V{x 2 ) is 
statistically close; and computationally maximal functions and permutations, 
where for any two inputs x\ and x^, what P(xi) leaks is indistinguishable from 
what V{x 2 ) leaks. We postpone defining these formally. 

4.3 Physically Observable Pseudorandomness 

One of our goals in the sequel will be to provide a physically observable analogue 
to the Blum-Micali [7] construction of pseudorandom generators. To this end. 
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we provide here physically observable analogues of the notions of indistinguisha- 
bility [30] and unpredictability [7]. 

Unpredictability. The corresponding physically observable notion replaces 
“unpredictability of bit i + 1 from the first i bits” with “unpredictability of bit 
i + 1 from the first i bits and the leakage from their computation.” 

Definition 7. Let p he a polynomially bounded function such that p{k) > k 
for all positive integers k. Let Q he a polynomial-time deterministic physical 
computer that, on a k-bit input, produces p{k)-hit output, one bit at a time (i.e., 
it writes down on the output tape the VAS locations of the output bits in left to 
right, one a time). Let Q'' denote running Q and aborting it after it outputs the 
i-th bit. We say that G is a PO unpredictable generator with expansion p if for 
any polynomial-time adversary F, the value \pk — 1/2| is negligible in k, where 



Pk = Pr[(i, statei) ^ ; a; A {0, 1}'^ ; 

Uiy 2 ...yt^G\x) F(statei) -)> statc 2 : F{statc 2 , ?/i • ■ ■ J/i) = Vi+i] , 

(where yj denotes the j-th bit of y = G{x)). 

Indistinguishability. The corresponding physically observable notion re- 
places “indistinguishability” by “indistinguishability in the presence of leakage. ” 
That is, a polynomial-time adversary F first observes the computation of a pseu- 
dorandom string, and then receives either that same pseudorandom string or a 
totally independent random string, and has to distinguish between the two cases. 

Definition 8. Let p he a polynomially bounded function such that p{k) > k 
for all positive integers k. We say that a polynomial-time deterministic physical 
computer G is a PO indistinguishable generator with expansion p if for any 
polynomial-time adversary F, the value \p^ ~ Pk \ negligible in k, where 

pf = Pr[x A {0, 1}^ ; y ^ G(x) F(l^) — >• state : F{state,y) = 1] 
pf = Pr[x A {0, 1}'= ; 2 / ^ G{x) ^ F{1^) state ; 2 A {0, .• 

F{state, z) = 1] . 



4.4 First Observations 

Reductions in our new environment are substantially more complex than in the 
traditional setting, and we have chosen a very simple one as our first exam- 
ple. Namely, we prove that minimal one-way permutations compose just like 
traditional one-way permutations. 

Claim. A minimal one-way permutation V implies a minimal one-way permuta- 
tion V' such that /•p'(-) = fvifvi'))- 
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Proof. To construct V , build a trivial physical VTM that simply runs V twice. 
See full version of the paper for details. We wish to emphasize that, though 
simple, the details of the proof of Claim 4.4 illustrate exactly how our axioms 
for physically observable computation (formalized in our model) play out in our 
proofs. 

Despite this good news about our simplest definition, minimal one-way per- 
mutations are not suitable for the Blum-Micali construction due to the following 
observation. 

Observation 1 Minimal one-way permutations do not chain. That is, an ad- 
versary observing the computation ofV' from Claim 4-4 and receiving /p(/p(x)) 
may well be able to compute the intermediate value f-p(x). 

This is so because V may leak its entire output while being minimal one-way. 

Unlike minimal one-way permutations, maximal one-way permutations do 
suffice for the Blum-Micali construction. 

Claim. A maximal one-way permutation V implies a PO unpredictable genera- 
tor. 

Proof. The proof of this claim, whose details are omitted here, is fairly straight- 
forward: simply mimic the Blum-Micali construction, computing x\ = V(xif), 
X 2 = V{xi), . . . , Xn = P{xn-i) and outputting the Goldreich-Levin bit of x„, 
of Xn-i, . . . , of Xi. Note that the computation of Goldreich-Levin must be done 
on a trivial physical VTM (because to do otherwise would involve another as- 
sumption), which will result in full leakage of x„-i, . . . , xq. Therefore, for 
unpredictability, it is crucial that the bits be computed and output one at a time 
and in reverse order like in the original Blum-Micali construction. 



Observation 2 Using maximal (or durable or minimal) one-way permutations 
in the Blum-Micali construction does not yield PO indistinguishable generators. 

Indeed, the output from the above construction is easily distinguishable from ran- 
dom in the presence of leakage, because of the eventual leakage of xq, x\,. . . , Xn- 

The above leads to the following observation. 

Observation 3 A PO unpredictable generator is not necessarily PO indistin- 
guishable. 

However, indistinguishability still implies unpredictability, even in this physically 
observable world. 

If the maximal one-way permutation satisfies an additional property, we can 
obtain PO indistinguishable generators. Recall that a (traditional) hardcore bit 
of X is natural if it is a bit in some fixed location of x. 
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Claim. A maximal one-way permutation V for which /p has a (traditional) 
natural hardcore bit implies a PO indistinguishable generator. 

Proof. Simply use the previous construction, but output the natural hardcore 
bit instead of the Goldreich-Levin one. Because all parameters (including inputs 
and outputs) are passed through memory, this output need not leak anything. 
Thus, the result is indistinguishable from random in the presence of leakage, 
because there is no meaningful leakage. 

The claims and observations so far have been fairly straightforward. We now 
come to the two main theorems. 

5 Theorems 

Our first main theorem demonstrates that the notion of a durable function is in 
some sense the “right” analogue of the traditional one-way permutation: when 
used in the Blum-Micali construction, with Goldreich-Levin hardcore bits, it 
produces a PO unpredictable generator; moreover, the proof seems to need all of 
the properties of durable functions. (Identifying the minimal physically observ- 
able assumption for pseudorandom generation is a much harder problem, not 
addressed here.) 

Theorem 1. A durable function implies a PO unpredictable generator (with any 
polynomial expansion). 

Proof. Utilize the Blum-Micali construction, outputting (in reverse order) the 
Goldreich-Levin bit of each Xi, just like in Glaim 4.4. The hard part is to show 
that this is unpredictable. Durable functions, in principle, could leak their own 
hardcore bits — this would not contradict the indistinguishability of the output 
from random (indeed, by the very definition of a hardcore bit). However, what 
helps us here is that we are using specifically the Goldreich-Levin hardcore bit, 
computed as r ■ Xi for a random r. Note that r will be leaked to the adversary 
before the first output bit is even produced, during its computation asr-Xn. But 
crucially, the adversary will not yet know r during the iterated computation of 
the durable function, and hence will be unable to tailor its measurement to the 
particular r. We can then show (using the same error-correcting code techniques 
for reconstructing Xi as in [13]) that r ■ Xi is unpredictable given the leakage 
obtained by the adversary. More details of the proof are deferred to the full 
version of the paper. 

Our second theorem addresses the stronger notion of PO indistinguishabil- 
ity. We have already seen that PO indistinguishable generators can be built out 
of maximal one-way permutations with natural hardcore bits. However, this as- 
sumption may be too strong. What this theorem shows is that as long as there is 
some way to a build the simplest possible PO indistinguishable generator — the 
one with one-bit expansion — there is a way to convert it to a PO indistinguish- 
able generator with arbitrary expansion. 
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Theorem 2. A PO indistinguishable generator that expands its input by a single 
bit implies a PO indistinguishable generator with any polynomial expansion. 

Proof. The proof consists of a hybrid argument, but such arguments are more 
complex in our physically observable setting (in particular, rather than a tra- 
ditional single “pass” through n intermediate steps — where the first is pseudo- 
random and the last is truly random — they now require two passes: from 1 to 
n and back). Details can be found in full version of the paper. 



6 Some Further Directions 

A New Role for Older Notions. In traditional cryptography, in light of 
the Goldreich-Levin construction [13], it seemed that finding natural hardcore 
bits of one-way functions became a nearly pointless endeavor (from which only 
minimal efficiency could be realized). However, Claim 4.4 changes the state of 
affairs dramatically. This shows how physically observable cryptography may 
provide new impetus for research on older subjects. 

(Another notion from the past that seemed insignificant was the method of 
outputting bits backwards in the Blum-Micali generator. It was made irrelevant 
by the equivalence of unpredictability and indistinguishability. In our new world, 
however, outputting bits backwards is crucially important for Claim 4.4 and 
Theorem 1.) 

Inherited vs. Generated Randomness. Our definitions in the physically 
observable model do not address the origin of the secret input x for a one-way 
function V: according to the definitions, nothing about x is observable by F 
before V starts running. One may take another view of a one-way function, 
however: one that includes the generation of a random input x as the first step. 
While in traditional cryptography this distinction seems unimportant, it is quite 
crucial in physically observable cryptography: the very generation of a random x 
may leak information about x. It is conceivable that some applications require a 
definition that includes the generation of a random x as part of the functionality 
of V. However, we expect that in many instances it is possible to “hardwire” the 
secret randomness before the adversary has a chance to observe the machine, 
and then rely on pseudorandom generation. 

Deterministic Leakage and Repeated Computations. Our definitions 
allow for repeated computation to leak new information each time. However, 
the case can be made (e.g., due to proper hardware design) that some devices 
computing a given function / may leak the same information whenever / is 
evaluated at the same input x. This is actually implied by making the leakage 
function deterministic and independent of the adversary measurement. Fixed- 
leakage physically observable cryptography promises to be a very useful restriction 
of our general model (e.g., because, for memory efficiency, crucial cryptographic 
quantities are often reconstructed from small seeds, such as in the classical pseu- 
dorandom function of [16]). 
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Signature Schemes. In a forthcoming paper we shall demonstrate that dig- 
ital signatures provide another example of a crucial cryptographic object con- 
structible in our general model. Interestingly, we shall obtain our result by relying 
on some old constructions (e.g., [21] and [22]), highlighting once more how old 
research may play a role in our new context. 

Acknowledgment. The work of the second author was partly funded by the 
National Science Foundation under Grant No. CCR-0311485. 
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A Minimal GMR Notation 

— Random assignments. If S' is a probability space, then “x ^ S” denotes the 
algorithm which assigns to x an element randomly selected according to S. 
If f is a finite set, then the notation “a; ^ F” denotes the algorithm which 
assigns to x an element selected according to the probability space whose 
sample space is F and uniform probability distribution on the sample points. 

— Probabilistic experiments. If p(-, •,•••) is a predicate, the notation Pr[x ^ 
S;y T; ... : p{x, y, ■ ■ •)] denotes the probability that p{x, y,- ■ ■) will be true 
after the ordered execution of the algorithms x T- S, y T, .... 
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Abstract. Committed Oblivious Transfer (COT) is a useful crypto- 
graphic primitive that combines the functionalities of bit commitment 
and oblivious transfer. In this paper, we introduce an extended version of 
COT (ECOT) which additionally allows proofs of relations among com- 
mitted bits, and we construct an efficient protocol that securely realizes 
an ECOT functionality in the universal-composability (UC) framework. 
Our construction is more efhcient than previous (non-UC) constructions 
of COT, involving only a constant number of exponentiations and com- 
munication rounds. Using the ECOT functionality as a building block, 
we construct efficient UC protocols for general two-party and multi-party 
functionalities, each gate requiring a constant number of ECOT’s. 



1 Introduction 

Committed Oblivious Transfer (COT) was introduced by Crepeau [17] (un- 
der the name “Verifiable Oblivious Transfer”) as a natural combination of (^)- 
Oblivious Transfer [21] and Bit Commitment. At the start of the computation 
Alice is committed to bits ag and Oi and Bob is committed to bit b; at the end 
Bob is committed to Uf, and knows nothing about a^, while Alice learns nothing 
about b. One can see that this allows each party engaged in an oblivious transfer 
to be certain that the other party is performing the oblivious transfer operation 
on their declared inputs.^ This has been shown to be useful in [18], who con- 
struct a protocol for general secure multi-party computation in the model of [28] 
using COT. 

In this paper we show how to improve on previous constructions of COT in 
the areas of efficiency and universal composability. In terms of efficiency, the pro- 
tocol we construct for COT uses only a constant number of exponentiations and 
communication rounds per transfer.^ In contrast, the most efficient previously 

^ This contrasts with standard oblivions transfer, where some other method (perhaps 
another cryptographic building block, or verification at some higher layer protocol) 
is required to guarantee that parties are performing their part of the transfer on 
their declared inputs. 

^ Security is proved under some standard number theoretic assumptions, discussed 
later. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 297-316, 2004. 
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known construction of COT [18] uses 0{k) invocations of OT (thus implying 
at least the same number of public-key operations using known constructions) 
and bit commitments, and 0{k) rounds, for k a security parameter. Further- 
more, we show that our protocol securely realizes an ideal COT functionality in 
the recently-proposed universal composability (UC) framework by Canetti [9], 
in the common reference string (CRS) model. Recall that to define security in 
this framework, one first specifies an “ideal functionality” describing the de- 
sired behavior of the protocol using a trusted party, and then one proves that 
a particular protocol operating in the real world “securely realizes” this ideal 
functionality, by showing that no “environment” would be able to distinguish 
(1) an adversary operating in the real world with parties running this protocol 
from (2) an “ideal adversary” operating in an ideal process consisting of dummy 
parties that simply call the ideal functionality. A main virtue of this framework 
is that the security of protocols thus defined is preserved under a general com- 
position operation called “universal composition,” which essentially means that 
protocols remain secure even when composed with other protocols that may be 
running concurrently in the same system. We give a more detailed review of the 
UC framework later in the paper. We note that a similar framework was in- 
dependently proposed by Pfitzmann and Waidner [37,38]. Intuitively, these two 
frameworks are similar, although there are a number of technical differences. We 
choose to use the UC framework in this paper. ^ 

Our protocol actually realizes an enhanced COT functionality, which we call 
ECOT, where in addition to oblivious transfer, one can prove certain relations 
among committed bits (in particular, among three bits). To demonstrate the 
usefulness of this functionality, we show that using ECOT as a building block, 
any well-formed two-party and multi-party functionality can be securely realized 
efficiently in the universal composability framework. Plugging in our protocol for 
realizing the ECOT into this construction, we have an efficient protocol for any 
well-formed two-party and multi-party functionality in the CRS model. 

Canetti et al. [11] were the first to show that such functionalities are indeed 
realizable in this model, even under general cryptographic assumptions and re- 
gardless of the number of corrupted parties. More specifically, [11] follows the 
general “two-phase” approach of [27] of first designing a solution for the case of 
honest-but-curious parties, and then turning it into a solution for the actively 
malicious adversary, using a “compiler.” The compiler adds a zero-knowledge 
proof to every message, proving that it is consistent with the history and the 
(committed) private input and the randomness. Notice that since the “consis- 
tency” proofs are for relations involving the execution of Turing machines, they 
are quite complex and it is unlikely that they admit efficient protocols; rather, 
proofs for general NP statements are used (which involve a reduction to an 

® The ideal-process/real-world formulation of security and the simulator-based 
paradigm were initiated by Goldreich et al. [27] . From then on, there have been many 
definitions in this (now standard) paradigm, with emphasis on different aspects. For 
a number of examples, see Goldwasser and Levin [30], Micali and Rogaway [32], 
Beaver [2,3], and Ganetti [8], for the formulations that proceed the UG framework. 
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NP-complete problem like Hamiltonian Cycle), making the compiler a major 
source of inefficiency. Canetti et al. make the protocol in [27] secure in the UC 
framework by replacing the basic primitives (namely, oblivious transfer, bit com- 
mitment, and zero-knowledge) with their universally composable counterparts. 
The resultant protocol becomes universally composable, but remains rather in- 
efficient. In this paper we follow a different approach. By incorporating stronger 
security into the basic building block (i.e., ECOT), we are able to build proto- 
cols secure against adaptive and malicious adversaries directly, eliminating the 
need for a (normally inefficient) compiler. In this way, we are able to construct 
protocols that are efficient and at the same time enjoy a high level of security. 

Our results. We now present a more detailed account of our results. We start by 
defining an ECOT functionality (IFecot), which, as mentioned above, addition- 
ally allows the sender to prove relations on three committed bits to the receiver. 
Then we construct a protocol to realize the ECOT functionality. The starting 
point for our construction is the standard Pedersen commitment scheme [35]. 
Then we build an OT protocol over these commitments that is loosely based on 
the (non-concurrent version of the) OT protocol of Garay and MacKenzie [23] 
(which in turn is based on the OT protocol of Bellare and Micali [4]). Zero- 
knowledge (ZK) proofs are required in this OT protocol, and thus we work 
in a hybrid model with ideal ZK functionalities. Naturally, the constructions for 
proving relations on three committed bits also use these ideal ZK functionalities. 
Finally, to construct efficient protocols that securely realize these ZK functional- 
ities, we construct a special type of honest-verifier ZK protocol for each desired 
relations, and then we use a result by Garay et al. [24] that shows how to convert 
this special type of honest- verifier ZK protocol into a universally-composable ZK 
protocol. These results are presented in Section 3. 

The ECOT functionality can be naturally extended into one that performs 
(^)-transfers (instead of (^)) and proves relations on four committed bits (as 
opposed to three). We call this extended functionality iF^cOTy show how to 
construct it using the original IFecot functionality as a building block. Equipped 
with .FgQQrp, we then show how to securely realize a two-party functionality that 
we call Joint Gate Evaluation (IFjge), which, as its name indicates, allows two 
parties to securely compute any Boolean function over two bits shared between 
them. Essentially, the protocol realizing this functionality uses a construction 
similar to that of [27] for the computation of the multiplication gate. However, 
distinctive features of the protocol are that it deals directly with adaptively ma- 
licious parties, and its efficiency: only a constant number of exponentiations and 
communication rounds per gate evaluation. Joint Gate Evaluation is presented 
in Section 4. 

Finally, we use .Fjge to securely realize — efficiently — any adaptively well- 
formed two-party and multi-party functionality, which is expressed by an arith- 
metic circuit over GF(2), in a universally-composable way. Again, since the 
realization is directly for the actively malicious adversary, and by means of an 
efficient building block, the overall computational complexity is a small constant 
times the number of gates in the representation of the functionality, and the 
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number of rounds is a constant times the depth of the circuit. The treatment of 
two-party functionalities is presented in Section 5, while the case of multi-party 
functionalities, with the one-to-many extensions and realizations of the required 
building blocks, is discussed in Section 6. Putting everything together, we con- 
struct efficient and universally composable two-party and multi-party computa- 
tion protocols that are secure against adaptive adversaries in the erasing model, 
where we allow parties to erase certain information reliably. 

As a technical note, we use the gate-by-gate approach from [27], and make 
sure that each gate is computed efficiently. We do not use the “encrypted circuit” 
approach due to Yao [40], which yields constant-round protocols but is rather 
inefficient in terms of communication complexity, since one needs to prove in 
zero-knowledge that the encrypted circuit is correct and these proofs are unlikely 
to admit efficient protocols. 

Related work. We already mentioned prior work on COT [17,18]. Although the 
protocols presented there are generic and hence may be implemented with or 
without computational assumptions (e.g., using primitives based on quantum 
channels), they are less efficient by at least a factor of k, where k is the se- 
curity parameter, and furthermore, they are not universally composable. (As a 
side note, a “stand-alone” version of our ECOT protocol would be substantially 
simpler, in particular with respect to the implementation of the necessary ZK 
proofs.) 

We can also compare the ECOT functionality to the functionalities defined 
in [11], who use a “two-phase” approach to construct universally composable 
two-party/multiple-party computation protocols. In the first phase, where they 
construct a protocol secure against semi-honest adversaries, an important tool is 
the OT functionality. In the second phase, where they exhibit a “compiler” that 
turns protocols in the first phase into ones secure against malicious adversaries, 
an important tool is the “commit-and-prove” functionality, which proves general 
NP statements. In some sense, the ECOT functionality may be viewed as a 
“combination” of the OT functionality and the commit-and-prove functionality. 
However, we stress that since ECOT only needs to prove very simple relations 
(among three bits), it can be realized more efficiently.'^ 

Recently, Damgard and Nielsen [20] presented efficient universally compos- 
able multi-party computation protocols using a different approach. Their con- 
struction is based on an efficient MPC protocol by Cramer et al. [14], which in 
turn is based on threshold homomorphic cryptosystems. Compared to our result, 
the Damgard-Nielsen construction works in a slightly stronger model, namely the 
public key infrastructure (PKI) model, where a trusted party not only generates 
a common reference string (which contains the public keys of all the paries), but 

We note that a commitment functionality with the capability to perform proofs on 
committed bits was also proposed by Damgard and Nielsen [19], along with efficient 
protocols realizing it under some specific number-theoretic assumptions. However, 
it was not shown that their functionality could be used in constructing protocols for 
general secure multi-party computation, and more specifically, oblivious transfer. 
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also a private string for each party (as the party’s secret key). On the other hand, 
their protocol is secure against adaptive adversaries in the so-called non-erasing 
model, where the parties are not allowed to erase any information, while our 
construction is secure in the erasing model only. 

Due to space limitation, proofs are omitted from this extended abstract, but 
may be found in the full version of this paper [25] . 

2 Preliminaries and Definitions 

All our results are in the common reference string (CRS) model, which assumes 
that there is a string uniformly generated from some distribution and is available 
to all parties at the start of a protocol. This is a generalization of the public 
random string model, where a uniform distribution over fixed-length bit strings 
is assumed. 

For a distribution A, we say a G A to denote any element that has non-zero 
probability in A, i.e., any element in the support of A. We say a A Z\ to denote 
a is randomly chosen according to distribution A. For a set S, we say a A S' to 
denote that a is uniformly drawn from S. 

Q-protocols. We will use a special type of zero-knowledge protocols, namely, 
Q-protocols [24], which are variants of the so-called A-protocols [15,13]. Very 
roughly speaking, A-protocols are three-round, public-coin, honest-verifier zero- 
knowledge protocols, and 17-protocols are proof-of- knowledge A-protocols with 
a straight-line extractor. See [24,25] for a detailed description of 17-protocols. 

The universal composahility framework. The universal composability framework 
was suggested by Canetti for defining the security and composition of proto- 
cols [9]. In this framework one first defines an “ideal functionality” of a protocol, 
and then proves that a particular implementation of this protocol operating in a 
given computational environment securely realizes this ideal functionality. The 
basic entities involved are n players Pi, . . . , an adversary A, and an environ- 
ment Z. The real execution of a protocol tt, run by the players in the presence 
of A and an environment machine Z, with input z, is modeled as a sequence of 
activations of the entities. The environment Z is activated first, generating in 
particular the inputs to the other players. Then the protocol proceeds by hav- 
ing A exchanging messages with the players and the environment. Finally, the 
environment outputs one bit, which is the output of the protocol. 

The security of the protocols is defined by comparing the real execution of 
the protocol to an ideal process in which an additional entity, the ideal func- 
tionality P, is introduced; essentially, T is an incorruptible trusted party that is 
programmed to produce the desired functionality of the given task. Let S denote 
the adversary in this idealized execution. The players are replaced by dummy 
players, who do not communicate with each other; whenever a dummy player is 
activated, its input is forwarded to T by 5, who can see the “public header” of 
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the input.® As in the real-life execution, the output of the protocol execution is 
the one-bit output of Z. Now a protocol tt securely realizes an ideal functionality 
T if for any real-life adversary A there exists an ideal-execution adversary S 
such that no environment Z, on any input, can tell with non-negligible prob- 
ability whether it is interacting with A and players running tt in the real-life 
execution, or with S and T in the ideal execution. More precisely, if the two 
binary distribution ensembles, REAL,r,. 4,2 and IDEALjr, 5 , 2 , describing Z’s out- 
put after interacting with adversary A and players running protocol tt (resp., 
adversary S and ideal functionality are computationally indistinguishable 
(denoted REAL,r,. 4,2 ~ IDEAL jr, 5 , 2 ). 

Protocols typically invoke other sub-protocols. In this framework the hy- 
brid model is like a real-life execution, except that some invocations of the sub- 
protocols are replaced by the invocation of an instance of an ideal functionality 

this is called the “iF-hybrid model.” We are designing and analyzing proto- 
cols in the CRS model, and so they will be operating in the .F^j^g-hybrid model, 
where is the functionality that chooses a string from distribution T>k and 

hands it to all parties. Further, we will consider the “multi-session extension of 
F’ of Canetti and Rabin [12], denoted F, which runs multiple copies of F by 
identifying each copy by a special sub-session identifier. 

The definition of F|^, the multi-session extension of F|^, is shown below. 
Note the two types of indices: the sid, which differentiates messages to F||^ from 
messages sent to other functionalities, and ssid, the sub-session identifier, which 
is unique per input message (or proof). 



Functionality FUj 

F|k proceeds as follows, running with security parameter k, parties Pi, . . . , P„, 
and an adversary S: 

— Upon receiving (zk-prover, sid, ssid. Pi, Pj,x, w) from Pi: If R{x, w) then send 
{ZK-PROOF , sid, ssid. Pi, Pj , x) to Pj and S and halt. Otherwise, ignore. 



Refer to [9,11] for further description of the UC framework. 

3 Universally Composable Committed Oblivious Transfer 

In this section we present the Fecot functionality, an extension of COT where in 
addition to the oblivious transfer, the sender can prove to the receiver (Boolean) 
relations among the committed bits. We will later use this functionality to imple- 
ment an efficient Joint Gate Evaluation functionality, which in turn will enable 
efficient and universally composable multi-party computation. The functionality 
Fecot is shown below. Informally, a party Pi commits to a bit b by sending 
an ecot-commit message to the ideal functionality Fecot, and Pi can later open 
this bit by sending an ecot-open message with appropriate commitment identifier 

This feature was added to the UC framework in [11]. 



5 
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(cid) value. For Pi to obliviously transfer a bit to Pj, Pi needs to commit two bits 
and bi and Pj needs to commit to one bit bt] after sending an ecot-transfer to 
•^ecotj the bit bi,^ is transferred to Pj and automatically committed by IFecot 
on behalf of Pj. Meanwhile, Pi does not learn anything, except that a transfer 
took place. Furthermore, the functionality also allows a party Pi to prove to Pj 
that three bits bo, b\, and 62 it committed to satisfy a particular binary relation 
by sending an ecot-prove message to .T^ecot- 

As a convention, we use opm"^ to denote a function on two bits, where m G 
{0, 1}"* is the string of bits of the Boolean function’s truth table (output column). 
We also often identify m with the integer whose binary representation is m. (For 
example, m = 1 represents the AND function, whose truth table is 0001.) 

As a technical note, we note that the Open phase is not strictly neces- 
sary since it can be simulated by the Prove phase. Take oPqqqq and 
which correspond to the all-zero and all-one functions. Then, by proving that 
°Poooo(^Oj ^1) = ^2 for arbitrary bits 6 q and bi, one essentially opens bit 62 to 0; 
similarly, by proving that op)/;^^(6o, &i) = fo, one opens fo to 1. We choose to 
include the Open phase in the functionality for clarity and efficiency (the Open 
phase can be realized more efficiently than the simulated Prove phase) . 

Functionality IFecot 

•Fecot proceeds as follows, running with parties Pi, ..., P„ and an adversary 

5. 

— Commit phase: When receiving from Pj a message 

{ecot-comm\t, sid, cid, Pj,b), record {cid. Pi, Pj,b) , send message 
(ECOT-RECEIPT, sid, ctd, Pj, Pj) to Pi, Pj and S, and ignore all 
future messages of the form (ecot-commit, std, cid, Pj, *) from Pj and 
(ecot-transfer, sid, cid, *, *, *, Pi) from Pj. 

— Prove phase: When receiving from Pj a message (ecot-prove, sid, ssid, 

cido,cidi,cid2, Pj,m), if the following three tuples, {cido, Pi, Pj,bo), 

( 2 '\ 

{cidi, Pi, Pj,bi), (cid2,Pi,Pj,b2), are all recorded, and opm\bo,bi) = 
62, then send message (ECOT-PROOF, sid, ssid, cido, cidi, cid2, Pj, m) 
to Pj and S; otherwise do nothing. 

— Transfer phase: When receiving from Pi a message (ecot-transfer, sid, 
cid, cido, cidi,tcid, Pj) , if the following three tuples {cido, Pi, Pj, bo), 
{cidi. Pi, Pj,bi), and {tcid, Pj, Pi,bt), are all recorded, send mes- 
sage (ECOT-DATA, sid, cid. Pi, Pj, cido, cidi, tcid, bh() to Pj , record 
tuple {cid,Pj,Pi,bbt), and send message (ECOT-RECEIPT, sid, cid. 
Pi, Pj, cido, cidi, tcid) to Pi and S, and ignore all future mes- 
sages of the form (ecot-commit, sid, cid, Pj, *) from Pj and 
(ecot-transfer, sid, cid, *, *, *, Pj) from Pj. Otherwise, do nothing. 

— Open phase: When receiving from Pj a message 

(ecot-open, sid, cid, Pj, Pj), if the tuple {cid. Pi, Pj,b) is recorded, 
send message (ECOT-DATA, sid, cid, Pj, Pj, 6) to both S and Pj] 
otherwise, do nothing. 
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Before presenting a protocol that securely realizes ^ecot, we first discuss 
some preliminary constructions that will be used as building blocks. 



3.1 Building Blocks 

In [24], Garay et al. introduced a technique to transform any 17-protocol into 
a universally composable protocol by using a digital signature scheme that is 
existentially unforgeable against adaptive chosen- message attacks. Their trans- 
formation is efficient, if the digital signature scheme admits an efficient proof of 
knowledge protocol. In particular, they proved the following result. 

Theorem 1 ([24]). Under the strong RSA assumption or the DSA assumption, 
for every relation R that admits an f2-protocol II, there exists a three-round 
protocol UC[7T] that securely realizes the ideal functionality in the tFcKS~ 
hybrid model against adaptive adversaries, assuming erasing. Furthermore, the 
(additive) overhead o/ UC[7T] to II is constant number of exponentiations plus 
the generation of a signature. 

See [25] for discussion on the Strong RSA assumption. 

Drawing from standard techniques in the literature (e.g., [6,7,22,31,24]), we 
are able to construct efficient 17-protocols for the following relations; by then 
“plugging” them into Theorem 1, we obtain efficient universally composable zero- 
knowledge protocols for these relations. Due to space limitations, the detailed 
construction of these 17-protocols appears in the full version [25]. 

1. “OR” of two discrete logs: 

-RoR-DL((yo,5o,2/i,ffi), (a;o,a;i)) = i?DL((yo,5o),a;o) V i?DL((l/i,5i),a;i) 

2. “OR” /“AND” relation of six discrete logs: 

RoR-N-DlUVO, 2/1, 1/2, 2/3, 2/4, 2/5, g), (a^O, Xi,X2,Xs, X4, Xs)) = 

((■Rdl((2/0, g),xo) V Rdl((2/i, ff), a^i)) A Rdl((2/2, g),X 2 )) V 

(^DL((g3,g),X3) A RDL((g4,g),X4) A RDL((y. 5 ,g),X 5 )) 

3. Partial equality of representations: 

RpEREp((aio, ffo,5i, a^i, 52, 53), (^o, ai, «2)) 

4. “OR” of partial equality of representations: 

7?oR-PEREp((a;o,5o,5i, a;i, 52, 53, 5o, ^0, ^1, 5i, ^2, ^3), (ao, oi, <a2, /3o, /3i, /?2)) = 

7?PEREp((a:o, go, 5i, a^i, 52, 5s), (ao, ai, 02 )) V 

-RpEREp((5o, ho,hi,yi,h2, h^), (/3q, Pi, (32)) 
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3.2 The UCECOT Protocol 

We now present UCECOT, a protocol that securely realizes the .T'ecot ideal 
functionality in the model, 

where the CRS consists of (p, q, g, h) such that q and p are primes satisfying 
q\{p — 1) and g,h £ Z* are random elements satisfying order(p) = order(/i) = q. 
p and q will also serve as the public parameters in the relations i?Dt, -Rperepj 
and their compositions. 

We first describe the protocol. 

Commit phase: On receiving private input (ecot-commit, sid, ctd, Pj, 6), as- 

suming that cid is not used before, party Pi picks a random r ^Zq, computes 
B g'" ■ modp, sends message (ucecot-commit, std, cid, P) to party Pj, 
message {zk-prover,sid,cid,Pi,Pj,{B,g,B/h,g),{r,r)) to and out- 

puts (ECOT-RECEIPT, sid, cid, Pi, Pj). After receiving the messages from Pi 
and respectively, Pj outputs (ECOT-RECEIPT, sid, cid, P^, P^). 

Essentially Pi sends a Pedersen commitment [35] of bit b to Pj and uses the 
PzK^”'’'' ideal functionality to prove that he either knows the discrete log of 
B (in which case Pi is committing to bit 0) or the discrete log of B/h base 
g (in which case Pi is committing to bit 1). 

Prove phase: Suppose Pi has committed bits bo, bi, and 62 to Pj us- 
ing cids cido, cidi, and cid2, respectively. Further assume that their 
corresponding Pedersen commitments are Pq = 9 ^^° ' = 

g^^ ■ h}’^ , and P2 = . Now, upon receiving private input 

{ecot-prove, sid, ssid, cido, cidi,cid2, Pj,m), Pi is to prove to Pj that 
opm\bo,bi) = 62, using sub-session id ssid. We first consider the sit- 
uation where m = 1110, in which case opm^ is the NAND operation. 
In this situation. Pi sends message (ucecot-prove, sid, ssid, cido, cidi, cid2, 
m) to Pj and sends message (zk-prover, sid, ssid. Pi, Pj, (Pq, Pi, P2/d, Bo/h, 
Bi/h,B2,g),{ro,ri,r2,ro,ri,r2)) to . After receiving the corre- 

spending message from Pj outputs (ECOT-PROOF, sid, ssid, cido, 

cidi , cid2 ,Pi,m). 

Intuitively, Pi is proving that (((60 = 0) V (61 = 0)) A (&2 = 1)) V {{bo = 
1) A (61 = 1) A (62=0)). 

(2) 

In the case of any other binary operations opm^ it can be written as a 
composition of NANDs and then proved step by step. Pi will need to commit 
to all the intermediate bits and prove each NAND operation is correct. For 
example, consider the case where m = 0001 is the AND operation. Notice 
that X Ay = x Ay A x Ay Therefore, to prove that b2 = bo Ab\, Pi needs to 
commit to a new bit bo = bo A bi using the protocol in the Commit phase, 
and then prove that both b^ = bo A bi and that 62 = ^3 A 63. 

Transfer phase: Suppose Pi has committed bits bo and &i, and Pj has com- 
mitted bit bt, using identifiers cido, cidi, and tcid, respectively. Further as- 
sume that the corresponding Pedersen commitments are Bo = g^° ■ h^°. 
Pi = g"^^ ■ , and P* = 5’’* • Now, upone receiving private input 
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ecot-transfer, sid, cid, cicio, czfii, iczd, Pj), assuming that cid is not used be- 
fore, Pi is to obliviously transfers bit bb^ to Pj, using session id sid and the 
commitment id cid for the new bit • Intuitively, Pi sends two Pedersen 
commitments, Cq and Ci, where Cq is a commitment to bo using base Bt, 
and Cl is a commitment to bi using base Bt/h. It also sends Aq and Ai gen- 
erated using the same randomness as Cq and Ci. If 6* = 0, then Pj knows 
the discrete log of Bt and can check if Cq is a commitment to zero or not, 
and if = 1, then Pj knows the discrete log of Bt/h and can check if Ci is 
a commitment to zero or not. 

Now we proceed to the details. Pi randomly picks ao,ai ^ Zq and com- 
putes Ao ^ Ai ^ Co ^ B/» ■ and Ci ^ {Bt/hY^ ■ Pi then 
sends message (ucecot-transfer, szd, czd, czdoj czdi, tczd, Aq, Ai, Cq, Ci) to Pj 
and sends the following four messages to the ideal functionality 

(zk-prover, sid, cid o 00, Pi,Pj, (Cq, h, Bt, Bo, h, g), {bo, ao, ro)) 
(zk-prover, sid, cid o 01, Pi, Pj, {C\,h, Bt/h,Bi,h,g),{bi,a\,ri)) 
(zk-prover, sid, cid o 10, Pi, Pj, {Ao,g, l,Co,Bt,h), {ao,0,bo)) 
(zk-prover, sid, cid o ll,Pi,Pj, {Ai,g, l,Ci,Bt/h, h), (ai,0,6i)) 



After this. Pi erases ao and oi. 

After receiving the message from Pi and four messages from the ideal func- 
tionality , Pj does the following (otherwise Pj aborts). 

If = 0, then check if Aq* = Cq mod p, and set b^O if yes and b^l 
otherwise; if bt = 1, then check if A\* = Ci mod p, and sets 6 ^ 0 if yes and 
1 otherwise. Now b is the bit Pj receives. 

Next, Pj picks a random rY-Z* and sets B ^ g^ ■ h^modp, 
sends message (ecot-commit, szd, czd, P) to party Pi, sends message 
(zk-prover, sid, cid, Pj,Pi, (Cq, h, Aq, B, h, g, Ci,h, Ai,B, h, g), {b, rt,r, 
b,rt,r)) to ideal functionality 

, and outputs (ECOT-DATA, szd, czd, Pj, Pj, czdo, czdi, tczd, &). 
Finally, after receiving messages from Pj and , Pi outputs 

(ECOT- RECEIPT, sid, cid, Pi,Pj, cido, cidi,tcid). 

Open phase: Suppose Pi has committed a bit b to Pj using session id sid, 

and commitment id cid. Further assume that the commitment is B = g'" ■ 
h/ mod p. Now upon receiving private input (ecot-open, szd, czd. Pi, Pj), Pi 
opens the bit b by sending message (ucecot-open, sid, cid, b, r) to Pj, who then 
verifies that B = g'" ■ mod p, and outputs (ECOT-DATA, sid, cid, Pi,Pj,b) 
if the verification is valid. 

This is exactly the opening of a Pedersen commitment. 

In the full version, we show: 



We assume that all the id’s are binary strings, and we use “a o b” to indicate the 
concatenation of string a with string b. 
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Theorem 2. Under the DDH assumption, protocol UCECOT securely real- 
izes the IFecot ideal functionality in the ■< 

-hybrid model against adaptive, malicious adversaries, assuming eras- 
ing. 



4 Joint Gate Evaluation 

In this section we show how to securely realize a two-party functionality that we 
call Joint Gate Evaluation (IFjge) in the iFEcoT-hybrid model in the presence 
of a malicious, adaptive adversary. Informally, IFjge allows two parties to jointly 
evaluate any binary operation on two bits, and this will allow us to construct 
general two-party computation protocols on top of IFjge- We first present the 
functionality, shown below. 



Functionality IFjge 

•Fjge proceeds as follows, running with parties Pi, and adversary S. 

— Commit phase: When receiving from Pi a message 

{commit, sid,cid,Pj,b), record {cid,{Pi, Pj},b), send message 
(RECEIPT, sid,cid, Pi, Pj) to Pi, Pj and S, and ignore all further 
messages of the form (commit, sid, cid, x, *) and (eval, sid, cid, *, *, x, *) 
from Pj or Pj, where x G {Pi,Pj}. 

— Evaluate phase: When receiving from Pi a mes- 

sage {e\/a\, sid,cid,cido,cidi, Pj,m), if both {cido, {Pi, Pj},bo) 
and {cidi, {Pi, Pj},bi) are recorded, then compute 

(o'] 

b = opin' {bo, bi), record (cid,{Pi,Pj},b), send message 
{E\/AL-RECE\PT, sid, cid, cido, cidi. Pi, Pj,m) to Pi, Pj and S, 
and ignore all further messages of the form {commit, sid, cid, x,*) and 
(eval, sid, cid, *,*, X, *) from Pi or Pj, where x G {Pi,Pj}. Otherwise, 
do nothing. 

— Open phase: When receiving from Pi a message (open, sid, czd, Pj), 

if the tuple {cid, {Pi, Pj},b) is recorded, then send message 
(DATA, sid, cid, Pi, Pj,b) to Pj; otherwise, do nothing. 



At a high level, the approach we will use to realize functionality Pjge is sim- 
ilar to that in [26,11]. In particular, each bit stored in Pjge will be XOR-shared 
by Pi and Pj, and each gate evaluation will be done by a (^) -oblivious trans- 
fer. However, our resulting construction is directly secure against a malicious, 
adaptive adversary, and therefore we do not need the “compiler” used in [26, 
11]. This “direct” (as opposed to the “two-phase”) approach makes our protocol 
much more efficient. 

In particular, we will realize the Pjge functionality using a further gener- 
alization of the Pecot functionality, which we call Pecot- The Commit and 
Open phases of Pecot identical to those of Pecot, but the Transfer phase 
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performs a (^)-transfer (instead of (J)), while the Prove phase proves relations 
consisting of Boolean functions of three bits (as opposed to two). 

The detailed descriptions of tF^cOT ^ protocol that securely realizes it 
in the iFEcoT-hybrid model appear in [ 25 ]. 

We now give a high-level idea of how the protocol will realize the iFjcE 
functionality in the .FEcoT'^ybrid model. In the protocol, each bit b of identifier 
aid stored in Fjge is shared between Pi and Pj additively. More precisely, Pi 
has a bit bi and Pj has a bit 62 such that 6 = 61 © 62 • Furthermore, each of &i 
and 62 is a random bit by itself. Both Pi and Pj will commit to their bits to 
each other using identifier cid. To open this bit to Pi, Pj opens its share, 62, to 
Pi, who then computes 6 = 61 © 62- 

In order to evaluate c = opm^(a, 6), suppose Pi holds Oi and bi as shares of 
a and b, and Pj holds 02 and &2, respectively. Then, Pi generates a random bit 
Cl A {0, 1} and computes four bits oqo, oqi, oio, on, which are the “candidate 
bits” for C2, Pj’s share of bit c. Which bit is C2 depends on Pj's shares 02 and 
62- The actual bits are computed as in the table below. 



(C2, 62) 


Pj’s output C2 


(0,0) 

(0,1) 

(1,0) 

(1,1) 


000 = Cl © op[^^(ai,fei) 

001 = Cl © op[^'(ai, (fei © 1)) 
oio = Cl © opfff{{ai © l),6i) 

On = Cl © op[^'((ai © 1), {hi © 1)) 



Pi then commits to the bits ci, oqo, oqi, oio, on and proves to Pj the relations in 
the table using the Prove phase of Fecqt- (We use mo, mi, m2, m^ to denote the 
encodings of these relations.) Next, Pi and Pj engage in a (^)-oblivious transfer 
so that Pj receives bit O02621 which is Pj's share of bit c. 

The full description of UCJGE, the protocol that securely realizes Fjge in 
the FEGOT“^ybrid model, as well as the proof of the following theorem, appear 
in [ 25 ]. 

Theorem 3 . Protocol UCJGE securely realizes the Fjge functionality in the 
-hybrid model against malicious, adaptive adversaries. 

5 Efficient and Universally Composable Two-Party 
Computation 

In this section we show how to securely realize any adaptively well-formed two- 
party functionality in the presence of malicious adaptive adversaries in the Fjge~ 
hybrid model. Our construction is similar to the constructions in [ 27 , 26 , 11 ] for 
semi-honest adversaries. However, since our Fjge functionality is secure in the 
presence of malicious adversaries, we are able to obtain a two-party protocol 
secure against malicious adversaries directly. 
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We first review some of the assumptions about two-party functionalities we 
use in our paper, which are also used in [11]. We let T be an ideal two-party 
functionality, and we let Pi and P 2 be the participating parties. We assume that 
T may be represented via a family Cyr of Boolean circuits, the fcth circuit repre- 
senting an activation of T with security parameter k. Without loss of generality, 
we assume the circuits are composed entirely of NAND gates. ^ 

For simplicity, we assume that in each activation, (1) at most one party has 
an input to T with at most k bits, (2) each party may receive at most k bits 
as output from P, (3) P is & deterministic function, and (4) the local state of 
P after each activation can be described by at most k bits. The initial state of 
P is described by k zero bits. We assume that messages sent from A to P are 
ignored, and there are no messages from P to A. 

We note that the “deterministic function” assumption about P is without 
loss of generality, since we can always realize a probabilistic functionality P 
using a deterministic one P' as follows. Assuming that P needs k random bits, 
then P' receives a fc-bit string as auxiliary input from each participating party 
upon the first activation, and then runs P using the XOR of these strings as the 
random bit string. It is easy to see that the simple protocol where each party 
sends a random fc-bit string as the auxiliary input to P' securely realizes the 
ideal functionality P in the J^'-hybrid model.® 

The following protocol Pjr realizes an activation of P when Pi sends a mes- 
sage to P. (The case for P 2 is analogous.) We assume that both Pi and P 2 hold 
an sid as auxiliary input. When Pi is activated with input (sid,v), it initiate a 
protocol with P 2 to perform a joint gate-by-gate evaluation of the appropriate 
circuit in Cjr. 

Formally, they carry out the following protocol. 

Initialization: When Pi receives (sid,v), it checks if this is the first activation 
of P, and if so it sets up the internal state. Then it commits to its private 
input. 

Setting up the internal state: For i = 1,2,..., k, Pi sends messages 
(commit, szd, ctdi, P 2 , 0) and then {open, sid, cidi, P 2 ) to Pjge- Pi waits 
to receive the appropriate receipts. P 2 aborts if any of the bits are not 
zero. Effectively, Pi commits to the initial internal state of P (which is 
all zeros), and by opening them immediately, it proves to P 2 that these 
bits are indeed all-zero.® 

Committing to the private input: For i = 1,2,..., k. Pi sends messages 
{commit, sid, cidi. Pi, Vi) to Pjge and waits to receive the appropriate 

^ This is entirely for simplicity. Note that the Pjge functionality can be used to 
evaluate any gate of fan-in two. 

® Note that if adaptive corruptions are allowed, then this is actually only true for 
adaptively well- formed functionalities. See [11] for a discussion on this point, and the 
modifications necessary for an ideal adversary in the case of probabilistic functions. 
® Note that the cid’s used here and elsewhere in the protocol must all be unique bit 
strings that indicate the bit’s use in the circuit. For instance, the cidi here could be 
the bit encoding of (state, i) . 
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receipts. Here we assume that v = V 1 V 2 ■ ■ ■ Vk-^^ P 2 simply records the 
receipts received from IFjge- 

Gate-by-gate evaluation: For each NAND gate in the circuit, Pi determines 
the commitment identifiers associated with the inputs to that NAND gate, 
say cido and cidi, creates a new unique commitment identifier cid, sends 
message (eval, sid, cid, cido, cid\, P 2 , 1110) to Pjge, and waits for the appro- 
priate receipt. Here m = 1110 is the encoding of the NAND operation. P 2 
simply records the receipts received from Pjge- 
Output: P 2 verifies from all its receipts that Pi had Pjge perform the correct 
computation on the appropriate bits. Then for each output bit of T, it 
is either an internal state bit, or a bit addressed to either Pi or P 2 (we 
have assumed that T does not communicate with A). In the former case. 
Pi and P 2 do not need to do anything. They simply store the identifier 
of this bit, so that they can use it in the next activation. In the latter 
case, assuming that this bit, with identifier cid, is addressed to P 2 , Pi sends 
a message (open, sid, cid, P 2 ) to Pjge and P 2 extracts the bit b from the 
message (DATA, sid, cid, {Pi, P 2 }, 6) received from Pjge- The protocol for 
the case for a bit addressed to Pi is the same, but with Pi and P 2 switched. 

Messages that are out of order are dealt with using tagging, as in [11]. 

Theorem 4. Let T he a two-party adaptively well-formed functionality. Then 
Ilyr securely realizes T in the PjoE-hybrid model, in the presence of malicious 
adaptive adversaries. 

Proof appears in [25]. 



6 Efficient and Universally Composable Multi-party 
Computation 

In this section we show how to extend the results from previous sections to 
securely realize any well-formed multi-party functionality in the presence of ma- 
licious adaptive adversaries corrupting an arbitrary number of parties. Our con- 
struction is similar to that in [11] for semi-honest adversaries. But, again as in 
the two-party case, we are able to construct building blocks that can withstand 
malicious adversaries, and therefore our construction is secure against malicious, 
adaptive adversaries directly. 

In order to securely realize T , we basically follow the same approach as in 
the two-party case. However, we first need to extend some of our constructions 
from previous sections to suit the multiple-party case. 
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To indicate the use of each of these bits in the circuit, one could, for instance, set 
cidi to be the bit encoding of (input, Pi, o, i), where a is the activation number. 
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6.1 Broadcast and the One-to-Many ZK Functionalities 

We assume an authenticated broadcast channel available to all participating par- 
ties. The channel is modeled by the broadcast functionality Tbc below. The 
functionality guarantees the authenticity of a message, i.e., that no party Pi can 
fake a message from Pj. This is also the assumption used in [11], and we refer 
the readers to [11,29] for more in-depth discussions. 



Functionality J~bc 

Pbc proceeds as follow, running with parties Pi, ..., P„ and an adversary S. 

— Upon receiving a message (broadcast, sid, P, a;) from Pi, where P is a set of 
parties, send (BCAST-MSG, sid, P;, P, a;) to all parties in P and S, and halt. 



We also need an extension of the ZK functionality, namely the one-to-many 
ZK functionality, denoted by PmZK • Intuitively, this functionality allows a single 
prover to prove a theorem to multiple verifiers simultaneously. We give the 
formal definition in [25] . 

We observe that the UCZK construction by Garay et al. [24] can be natu- 
rally extended to a one-to-many UCZK protocol with the additional broadcast 
functionality. Roughly speaking. Pi (the prover) runs an independent copy of 
the two-party UCZK protocol with every party Pj € V using a unique sid, 
and all messages are broadcast. Each Pj accepts if and only if all the conver- 
sations are accepting. It is straightforward to construct an ideal adversary S. 
If the prover is uncorrupted, S simply runs a multi-party UCZK simulator for 
every copy of the UCZK protocol. If the prover is corrupted and there is at least 
one uncorrupted verifier, S can extract the witness. If all parties are corrupted, 
the simulation is straightforward. The conversion remains efficient. Therefore we 
have the following theorem. 

Theorem 5. Under the strong RSA assumption or the DSA assumption, for ev- 
ery relation R that admits an H-protocol II, there exists a three-round protocol 
UC[i7] that securely realizes the ideal functionality in the i^Bc)~ 

hybrid model against adaptive adversaries, assuming erasing. Furthermore, the 
computation complexity o/UC[i7] is that of II plus constant number of exponen- 
tiations and the generation of a signature, times the number of receiving parties. 

6.2 Multi-party ECOT 

We also extend the .Pecot functionality to the multi-party case, where the 
proof phase is replaced by a one-to-many proof and the receipts are sent to all 
participating parties. A formal definition of PmECOT appears in [25]. 

It is straightforward to extend the UCECOT protocol to the multiple-party 
case. One simply replaces the Pzk functionalities by the PmZK functionalities 
and replaces the point-to-point messages by broadcast messages. We denote the 
extended protocol by UCmECOT, and we have the following theorem. 
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Theorem 6. Under the DDH assumption, protocol UCmECOT securely realizes 
the ideal functionality in the 

-hybrid model against adaptive adversaries, assuming erasing. 

6.3 Multi-party Joint Gate Evaluation 

We extend the joint gate evaluation functionality to the multi-party case. Func- 
tionality .T^mJGE is shown below. The only changes with respect to the two-party 
case are that the receipts are sent to all participating parties, and that all parties 
have to agree for the opening to take place. 

Functionality JFi„jge 

JFjge proceeds as follows, running with parties Pi, ..., P„, and adversary S. 

— Commit phase: When receiving from P^ a message 

(commit, sid, cid, P, &), if Pi G P, then record (cid,P,b), send message 
(RECEIPT, sid, cid) to all parties in P and S, and ignore all further 
messages of the form (commit, sid, cid, *, *) and (eval, sid, cid, *, *, *, *). 

— Evaluate phase: When receiving from Pi a message (eval, sid, 

cid,cido,cidi,P,m), if P^ G P and both (cido,P, &o) and {cidi,P,bi) 

/o\ 

are recorded, then compute b = opm'(6o,di), record {cid,V,b), send 
message (EVAL-RECEIPT, sid, cid, cido, cid\,Pi, P, m) to all parties in P 
and S, and ignore all further messages of the form (commit, sid, cid, *, *) 
and (eval, sid, cid, *, *, *, *); otherwise, do nothing. 

~ Open phase: When receiving from Pi a message (open, sid, cid, Pj), 

if Pi G P, Pj G P, and the tuple {cid,V ,b) is recorded, then record 
tuple (openreq, sid, cid, Pj). When a tuple (open req, sid, cid, Pj, Pj) is 
recorded for every Pj G P, then send message (DATA, sid, cid, b) to Pi. 

In fact, we only need a “weakened” version of the PmJGE functionality for 
general multi-party computation. The weakened version, denoted by PwmJGE, 
has the additional constraint that only XOR and AND operations are allowed 
in the evaluation phase. It is obvious that since {XOR, AND} is a complete set 
of Boolean operations, PwmJGE is powerful enough to realize any multi-party 
functionality. 

As in the two-party case, we also need an extension of the PmEGOT func- 
tionality, denoted by dy^iECOT’ performs (ij) -oblivious transfer and proves 
relations among four bits. We only state the following theorem and omit the 
details. 

Theorem 7. There exists an efficient protocol that securely realizes the dy)iEGOT 
functionality in the PmECOT -hybrid model against malicious, adaptive adver- 
saries. 

Next, we briefly sketch a protocol UCmJGE that securely realizes PwmJGE in 
the P^EGOT't^ybrid model. This protocol is essentially a multi-party extension to 
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the UCJGE protocol. In UCmJGE, a bit b is now shared among all participating 
parties: party Pi has bit bi such that X)r=i ^ 2. In the following 

description, we omit some details in the protocol such as the format of the 
messages and the identifiers of the bits. These details should be clear from the 
context . 

Commit phase: For party Pi to commit to a bit 6, it generates random bits 
&i, & 2 , bn-i A {0, 1} and b„ <— b (B bi (B ■ ■ ■ (B b„-i. Then Pi commits to 
bi through sends bits bj to party Pj for all j ^ i. Then each Pj 

commits to hj through the IF^ecot opens it to Pi immediately. 
Evaluate phase: Assume the two bits to be computed are a and b, and Pi 
holds bits tti, bi as their shares. Naturally we have a = ^Ui mod 2 and 
b = 'Y^bi mod 2. We assume the result bit is c and each party should hold 
a share Ci at the end of this phase. We consider two cases according to the 
operation performed. 

XOR: To compute the XOR of bit a and 6, each party simply computes 
Ci = ai®bi. No messages are needed. 

AND: To compute the AND of bit a and b, we follow the approach in [26, 
11]. Observe that AND is the multiplication modulo 2, and we have the 
following equality. 

n \ n 

bi j = n - ^ Ui ■ bi+ ^ (oi + Gj) ■ {bi + bj) mod 2 
.2 — 1 / 2—1 

(see [26] for the justification of this equality). Therefore, each party Pi 
can compute n-Ui-bi by itself, and each pair Pi and Pj can jointly compute 
(tti + Gj) • {bi + bj) as in the two-party case, by invoking multiple transfer 
phases of the IF^ecot functionality. 

Open phase: To open a bit b, shared as b = X)r=i party Pi, every Pj 

opens its share bj through 1 F[^ecot- Then Pi sums up all the shares to 
obtain b. 

Abort: In case any party aborts and/or deviates from the protocol, all parties 
abort the protocol. 

Theorem 8. Protocol UCmJGE securely realizes functionality P-miGE, in the 
~^mECOT~hyb^id rnodel against malicious, adaptive adversaries. 

The proof is very similar to that of Theorem 3. Next, for any multi-party func- 
tionality P, we construct a protocol iT^r that securely realizes T in the iFmjGE- 
hybrid model. The construction is almost identical to the two-party case, except 
that since we assume the circuit computing T consists of AND and XOR gates, 
instead of NAND gates, the gate-by-gate evaluation will invoke the .2/nJGE func- 
tionality with different encodings of functions. Again, we defer the detailed 
construction and proof to the full version of this paper. 

Theorem 9. Let P be a multi-party adaptively well-formed functionality. Then 
IljF securely realizes P in the P^jOE-hybrid model, in the presence of malicious 
adaptive adversaries. 
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Abstract. A mix-net is a cryptographic protocol executed by a set of 
mix-servers that provides anonymity for a group of senders. The main 
application is electronic voting. 

Numerous mix-net constructions and stand-alone definitions of security 
are proposed in the literature, but only partial proofs of security are 
given for most constructions and no construction has been proved secure 
with regards to any kind of composition. 

We define an ideal mix-net in the universally composable security frame- 
work of Canetti [6]. Then we describe a mix-net based on Feldman [13] 
and using similar ideas as Desmedt and Kurosawa [10] , and prove that it 
securely realizes the ideal mix-net with respect to static adversaries that 
corrupt a minority of the mix-servers and arbitrarily many senders. 

The mix-net executes in a hybrid model with access to ideal distributed 
key generation, but apart from that our only assumption is the existence 
of a group in which the Decision Difiie-Hellman Problem is hard. 

If there are relatively few mix-servers or a strong majority of honest 
mix-servers our construction is practical. 



1 Introduction 

The notion of a mix-net was invented by Chaum [7]. Properly constructed a 
mix-net takes a list of cryptotexts and outputs the cleartexts permuted using a 
secret random permutation. Usually a mix-net is realized by a set of mix-servers 
organized in a chain that collectively execute a protocol. Each mix-server receives 
a list of encrypted messages from the previous mix-server, transforms them, 
using partial decryption or random re-encryption, reorders them, and outputs 
the result. The secret permutation is shared by the mix-servers. 

1.1 Previous Work 

Chaum’s original “anonymous channel” [7,36] enables a sender to send mail 
anonymously. When constructing election schemes [7,14,37,43,35] a mix-net can 
be used to ensure that the vote of a given voter can not be revealed. Abe gives 
an efficient construction of a general mix-net [1], and argues about its properties. 
Jakobsson has written (partly with duels) more general papers on the topic of 
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mixing [24,25,26] focusing on efficiency. Furukawa and Sako [15], and Neff [33] 
respectively have recently found efficient proofs of a correct shuffle, but these 
proposals have incomplete or flawed analysis. Groth [23] builds on Neff’s ideas 
to form an abstract protocol for any homomorphic cryptosystem. 

Desmedt and Kurosawa [10] describe an attack on a protocol by Jakobsson 
[24]. Similarly Mitomo and Kurosawa [32] exhibit a weakness in another pro- 
tocol by Jakobsson [25]. Pfitzmann has given some general attacks on mix-nets 
[40,39], and Michels and Horster give additional attacks in [31]. Wikstrom [46] 
gives several attacks for a protocol by Golle et al. [22]. He also gives attacks 
for the protocols by Jakobsson [25] and Jakobsson and Juels [27]. Abe [2] has 
independently found related attacks. 

Ganetti [6] and independently Pfitzmann and Waidner [41], proposed security 
frameworks for reactive processes. We use the former framework. Both frame- 
works has composition theorems, and are based on older definitional work. The 
initial ideal-model based definitional approach for secure function evaluation is 
informally proposed by Goldreich, Micali, and Wigderson in [18]. The first for- 
malizations appear in Goldwasser and Levin [19], Micali and Rogaway [30], and 
Beaver [3]. Ganetti [5] presents the first definition of security that is preserved 
under composition. See [5,6] for an excellent background on these definitions. 

1.2 Contribution 

The large number of attacks and flawed analysis for mix-net constructions, e.g. 
[10,32,40,39,31,46,2] and [33,15] respectively, suggest that constructing a secure 
mix-net is hard. Previous work on mix-nets gives ad-hoc definitions of security, 
and most provide proofs in heuristic models. We take a broader view and present 
the first mix-net provably secure in the UG-security framework. To achieve this 
we introduce a natural definition of a UG-secure mix-net, and avoid all two-party 
proofs of knowledge. Instead we introduce multi- verifier proofs of knowledge that 
exploit the potential of an honest majority of mix-servers. 

1.3 Outline of the Paper 

The paper is organized as follows. First we define ideal functionalities correspond- 
ing to the notions of a mix-net, a bulletin board, distributed key generation, and 
multi- verifier zero-knowledge. Then we describe a generic mix-net running in a 
hybrid model with access to these ideal functionalities (except the ideal mix- 
net) that securely realizes the ideal mix-net. This is followed by protocols that 
securely realize a proof of knowledge of a cleartext of an El Gamal cryptotext, 
and a proof of knowledge of the correctness of a decrypt-shuffle respectively. 
Finally we use the composition theorem of Ganetti [6] to compose our protocols 
with each other and with the universally composable authenticated broadcast 
presented by Goldwasser and Lindell [20]. This gives a universally composable 
mix-net in a hybrid model with ideal distributed key generation. In this confer- 
ence version we only give shortened proofs of Lemma 2 and Lemma 4. The full 
version of this paper [47] provides proofs of all claims. 
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1.4 Notation 

Throughout Si,... ,Sn will denote senders and Mi,... ,Mk mix-servers. All 
participants are modeled as interactive Turing machines. We abuse notation 
and use Pi and Mj to denote both the machines themselves and their identity. 
We denote the set of permutations of N elements by Sm- We use the term 
“randomly” instead of “uniformly and independently at random” . We assume 
that Gq is a group of prime order q with generator g for which the Decision 
Diffie-Hellman Assumption holds. Informally the assumption says that it is hard 
to distinguish the distributions {g°‘ , , g°"^) and {g°‘,g^,g'*) when a,(3,j £ Zg 

are randomly chosen. 

We review the El Gamal [12] cryptosystem employed in Gg. The private key 
X is generated by choosing x € Zg randomly. The corresponding public key is 
y = g^. Encryption of a message m £ Gg using the public key y is given by 
Ey{m,r) = {g'~,y^m), where r is chosen randomly from Zg, and decryption of 
a cryptotext on the form (u,v) = {g^,y'^m) using the private key x is given 
by Dx{u,v) = u~^v = TO. Tsionis and Yung [45] shows that the El Gamal 
cryptosystem is semantically secure [21,29] under the DDH-assumption. 

1.5 The UC-Security Framework 

In this conference version we only give a short informal review of the UG- 
framework. For details we refer the reader to Ganetti [6] or the full version 
of this paper [47]. 

The core of the framework consists of the real model, the ideal model, and 
many different hybrid models. In all models the corresponding adversary may 
corrupt a certain fraction of the parties. 

The real model is a model of real world computing, i.e. a list of interactive 
Turing machines execute a protocol over an asynchronous authenticated open 
network. The real adversary can see all communication and decide when mes- 
sages are delivered. The ideal model contains an ideal functionality, i.e. a trusted 
party, that defines a service we wish to implement. Thus a protocol in the ideal 
model is trivial and consists of machines that forwards any input to the ideal 
functionality, and gives any output from the ideal functionality as output. The 
ideal adversary decides when messages are delivered from the ideal functionality 
but it can not see any contents. An ideal functionality is considered secure by 
definition. To be able to seamlessly move from a real model to an ideal model 
there are many hybrid models. A protocol running in a hybrid model is a list of 
interactive Turing machines that has access to some set of ideal functionalities. 

The definition of security is based on the simulation paradigm. A protocol 
is said to securely realize an ideal functionality if for any real adversary in the 
real model, there is an ideal adversary in the ideal model that has the same 
advantage. In contrast to classical definitions the distinguisher is present during 
the execution and may influence the adversary based on part of the transcript. 

The definition of security allows secure composition of protocols, i.e. given a 
protocol secure in a hybrid model, and protocols that securely realize all ideal 
functionalities in use, it is trivial to construct a secure protocol in the real model. 
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The notion of a communication model, Cx, used below is not explicit in 
Canetti [6] . It works as a router between participants and between participants 
and ideal functionalities. Given input {A, B,C, . . .) it interprets A as the re- 
ceiver of (B, C, . . .). The adversary can not read the correspondence with ideal 
functionalities, but it has full control over when a message is delivered. 

Throughout we consider the adversary model below, and we explicitly say 
when a result holds only with regards to blocking adversaries. 

Definition 1. We define MB(k) to bo the set of static adversaries that corrupt 
less than B{k) participants of the mix-server type Mj, and arbitrarily many 
participants of the sender type Pi. 

2 Ideal Functionalities 

No definition of an ideal mix-net in the UC-security framework has been given 
in the literature. Below we give a natural definition corresponding to a mix- 
net that outputs the cleartexts. The term mix-net is sometimes used also for 
constructions that do not decrypt the inputs, but we do not consider this here. 
We assume that each sender only sends one message. 

Throughout we implicitly assume that a message handed to an ideal func- 
tionality that is not on the forms prescribed in its definition is returned to the 
sender immediately. In particular this includes verifying membership in Gq when 
appropriate. We use the same convention for definitions of protocols. 

Functionality 1 (Mix-Net). The ideal functionality for a mix-net, IFmn, run- 
ning with mix-servers Mi, . . . , M^,, senders . . . , P/v> and ideal adversary S 
proceeds as follows 

1. Initialize a list L = 0 , and set Jp = th and Jm = 0 - 

2. Suppose (Pj, Send, TOj), mt G Gq, is received from Cp. If i ^ Jp, set Jp -fr- 
Jp U {i}, and append mi to the list L. Then hand (5, Pi, Send) to Cp- 

3. Suppose (Mj,Run) is received from Cp. Set Jm ^ Jm U {j}. If \ Jm\ > k/2, 
then sort the list L lexicographically to form a list L' , and hand 

((5, Mj, Output, L'), {(Mp Output, L')}f^i) to Cp. Otherwise, hand Cp the 
list {S, Mj, Run). 

Most constructions given in the literature assume the existence of an authen- 
ticated bulletin board, but this assumption is rarely formalized. 

Functionality 2 (Bulletin Board). The ideal bulletin board functionality, 
T’q'Bi running with participants P\, . . . ,Pk and ideal adversary S. 

1. Pbb holds a database indexed on integers. Initialize a counter c = 0. 

2. Upon receiving (Pp Write, m^), mi G {0,1}*, from Cp, store {Pi, mi) under 
the index c in the database, hand {S, Write, c, Pi, mi) to Cp, and set c <— c-|-l. 

3. Upon receiving {Pj, Read, c) from Cp check if a tuple (Pp mi) is stored in the 
database under c. If so hand ((5, Pj, Read, c, Pp m), (Pj, Read, c. Pi, Wi)) to 
Cp. If not, hand ((5, Pj, NoRead, c), (Pj, NoRead, c)) to Cp. 
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Goldwasser and Lindell [20] show that an authenticated broadcast can be 
securely realized with respect to Mocking Adfe/ 2 “Etdversaries. On the other hand 
Lindell, Lysyanskaya and Rabin [28] show that composable authenticated broad- 
cast can not be realized for non-Uocking Ade-adversaries if i? > k/3. The fol- 
lowing lemma follows from [20] . 

Lemma 1. There exists a protocol ttbb that securely realizes IFbb with respect 
to Mocking Aik/ 2 ~ 0 'dversaries. 

The mix-servers must somehow set up distributed El Gamal keys, but we 
do not consider this problem here. We only note that the problem was first 
addressed by Pedersen [38], and that Gennaro et al. [17] discovered a flaw in 
his approach, and a solution to the problem. Unfortunately their protocol is 
given in a different model, and can not be applied here directly. Below, the joint 
secret key x = corresponding public key y = 0^=1 Vj ~ 9^ 

implicit. Any individual participant can compute y, but not x. 

Functionality 3 (Distributed El Gamal Key Generation). The ideal Dis- 
tributed El Gamal Key Generation over Gq, Akg, running with mix-servers 
Ml, . . . , Mfc, senders Pi, . . . , Pn, and ideal adversary S proceeds as follows. 

1. Initialize sets Jj = 0 for j = 0, . . . , fc. 

2. Until jJoj = k wait for (M^, MyKey, from Cx such that xj € Zq, yj = 
g^G and j ^ Jq. Set Jq ^ Jo U {j}. 

3. Hand ((5, PublicKeys, yi, . . . , j/j,), {(P,-, PublicKeys, yi, . . . ,yk)}’j=i, 
{(Mj-,Keys,Xj,yi,... ,yk)Yj=i) to Cx- 

4. If {Mj, Recover, Ml) is received from Cx, set Ji <— Ji U {j}. If \ Ji\ > k/2, 
then hand ((5, Recovered, M/, x/), {(M^, Recovered, M;, Xi)}*_i) to Cx, and 
otherwise hand (S, Mj, Recover, Mi) to Cx- 

We need two different zero-knowledge proofs of knowledge. Following Ganetti 
et al. [8] we define a single ideal zero-knowledge functionality taking a relation 
P as a parameter, and then give two polynomial-time recognizable relations Rq, 
and Pds for the functionalities we need. 

Functionality 4 (Zero-Knowledge Proof of Knowledge). Let £ be a lan- 
guage given by a binary relation R. The ideal zero-knowledge proof of knowl- 
edge functionality of a witness w to an element x G £, running with provers 
Pi, . . . , Pn, and verifiers Mi, . . . , Mk, proceeds as follows. 

1. Upon receipt of (Pi,Prover,x,w) from Cx, store w under the tag (Pi,x), 
and hand (5, Pi, Prover, x, P(x, w)) to Cx- Ignore further messages from P^. 

2. Upon receipt of (M^, Question, P^, x) from Cx, let w be the string stored 
under the tag {Pi,x) (the empty string if nothing is stored), and hand 
{{S, Mj, Verifier, Pi, x, R{x, w)), (M^, Verifier, Pi, R{x, w)) to Cx- 

The first relation corresponds to knowledge of the cleartext m, when (u, v) is 
interpreted as (y*", y^m)- This may be viewed as the ideal counterpart of the proof 
of knowledge in the heuristically non-malleable version of El Gamal described 
both by Tsionis and Yung [45] and Schnorr and Jakobsson [44]. 
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Definition 2 (Knowledge of Cleartext). Define a relation Rc C x Zg, 

by {{g, y, u, v),r) € Rc precisely when log^ u = r. 

Although neither y nor v plays any role in the definition we keep them to em- 
phasize the similarity with older work. 

The second relation corresponds to a correct partial decryption, permutation 
and re-encryption of a list of El Gamal cryptotexts. This may be viewed as 
the ideal counterpart to the honest verifier zero-knowledge proof of knowledge 
presented by Furukawa et al. [16], or that of Neff [34]. 

Definition 3 (Knowledge of Correct Decrypt-Shuffie). Define for each N 
a relation i?DS C (G^ x x G^^) x (Zg x Ajv x Zg), by 



{{g, h, y, {r-Oili)) e Rds 

precisely when (u',u') = for i = 1,... ,fV, and 

loggy = X. 

In an application the prover Mj holds tt, r^, and x such that y = g^, and h 
corresponds to the remaining part of a shared key. 



3 A Generic Mix-Net in a Hybrid Model 

We describe a generic mix-net protocol in the (.7 ^bb,.?x;G).?^zk ’•^ZK'^)“^ ybrid 
model, i.e. the participants use an ideal bulletin board, ideal distributed El 
Gamal key generation, and ideal zero-knowledge proof systems for the relations 
Rc and i?DS- The structure of our mix-net corresponds closely to the mix-net 
implemented by Furukawa et al. [16]. Other researchers, e.g. Neff [34], have had 
similar ideas. Our mix-net is secure as long as a majority of the mix-servers Mj 
are honest. There is no bound on the number of corrupted senders Pi. 

In the other common structure of a mix-net each mix-server performs a ran- 
dom re-encryption and permutation, and then the mix-servers jointly decrypt 
the output of the last mix-server. We believe that our results may be generalized 
to hold for such a protocol. 

We abuse notation. When a message is received via a copy of the ideal commu- 
nication model Cx, we say that it is received directly from an ideal functionality. 

Informally the mix-net works as follows. Each sender encrypts its message 
using the El Gamal cryptosystem and proves that it knows the randomness used 
to do this. Then the mix-servers take turns to partially decrypt, permute, and 
re-encrypt the elements in the list. The output of the last mix-server is a list of 
permuted cleartexts. 

Protocol 1 (Generic Mix-Net). The generic mix-net protocol 

TT = (Pi, . . . , Pjv, Ml, . . . , Mk) consists of senders Pi, and mix-servers Mj. 

Sender Pi. Each sender Pi proceeds as follows. 

1. Wait for (PublicKeys, j/i, . . . ,yk) from Pkg, and compute y = nf=i Vi-- 
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2. Wait for an input (Send,mi), rrii € Gq. Then choose r* € Zq randomly and 
compute (u^,Vi) = Ey(m^,r^). 

3. Hand (Prover, (g,y,Ui,Vi),ri) 

4. Hand (Write, (ui,Vi)) to IFbb- 



Mix-Server Mj. Each mix-server Mj proceeds as follows. 

1. Choose Xj G Zq randomly and hand (MyKey,cCj,g'^j) to 

2. Wait for (Keys, ?/i, . . . ,yk) from IFkgj compute hi = Y[^=iVj ^^r I = 
1 , . . . ,k, and set y = h\. 

3. Wait for an input (Run), and then hand (Write, Run) to .T^bb- 

4. Wait until at least k/2 different mix-servers has written Run on IFbb, and let 
the last entry of this type be (cRun, Afj, Run). 

5. Form the list L* = for some index set /», from the set 

of entries on IFbb on the form {c, P^, (u-y,Vj)), where 0 < c < Crun, 
7 G {1, . . . , iV}, and u^, Vj G Gq. 

6 . For each 7 G /* do the following, 

a) Hand (Question, P.y, ( 5 , y, m-,,, v.y)) tolF^. 

b) Wait for (Verifier, &.^) from 

Then form Lq = {(uo,i) t>o,i)})Li consisting of pairs {u.y, Vj) such that bj = 1. 

7. For / = !,... ,k do: 

a) If ? yf j, then do: 

i. Wait until an entry (c, M/, (List, L;)) appears on Pbb, where Li is 

on the form {{ui^i,vi^i)}fLi for G Gq. 

ii. Hand (Question, Mi, (g, hi+\,yi, Li-i, Li)) to P^y^ , and wait for 
(Verifier, Mp 6;) from P^y^ . 

iii. If bi = 0, then hand (Recover, Mi) to PyGj and wait for 
(Recovered, M;, X;) from Pyg- Then define L; = {{ui^i,vi^i)}fLi = 

b) If I = j, then choose rj^i G Zq and ttj € Pn' randomly, and compute 






Xi 

(z) 



N' 






Finally hand (Prover, (5, hj+i,yj,Lj_i,Lj), {xj,TTj, {rj,j}(b'i)) to P^y"^, 
and hand (Write, (List, Lj)) to Pbb- 

8. Sort {vk,i}fLi lexicographically to form a list L' and output (Output, Lb- 



Lemma 2. Protocol 1 securely realizes the ideal functionality Pmn in the 
{Pbb, Pkg, PzY T naodel with respect to 2 - adversaries under 

the DDH-assumption in Gq. 

Each mix-server computes 3N exponentiations in Gq. 
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Lemma 2 reduces the problem of constructing a UC-secure mix-net to the prob- 
lem of constructing UC-secure realizations of the ideal functionalities IFbb, ^kGi 
. The lemma can also viewed as an argument of the security of 
mix-nets where the ideal functionalities and are heuristically, but 

efficiently, realized, e.g. by zero-knowledge proofs of knowledge in the common 
random string model or the random oracle model (cf. [33,15,16,23]). 

Pfitzmann [39,40] shows that the cryptotexts handed to a mix-net must be 
non-malleable [11] and a common way to ensure this is to use the cryptosystem 
suggested by Tsionis and Yung [45] and Schnorr and Jakobsson [44], or the 
Cramer-Shoup cryptosystem [9]. Both constructions are efficient and may be 
viewed as El Carnal augmented with a proof of knowledge, but only the latter is 
provably secure and both lack the extraction requirements of the UC-framework. 

4 Secure Realizations of and 

We securely realize the ideal functionalities and in the FBB-hybrid 

model in a reasonably practical way as long as the number of mix-servers is 
relatively small. A key observation is that since we are considering AiB{k)~ 
adversaries, the prover may well disclose its secret witness to all subsets con- 
sisting of at least B{k) verifiers as long as it does not disclose it to any subset 
consisting of less than B{k) verifiers. 

4.1 A Realization of in the FeB-Hybrid Model 

We observe that we may view the verifiable secret sharing scheme (VSS) of Feld- 
man [13] as a multi-verifier proof of knowledge of a logarithm, since his scheme 
only leaks information on the secret that is already known in our setting! Note 
that this protocol does not securely realize any natural ideal VSS functionality. 
The simulatability properties of the UC-framework are not satisfied. 

Intuitively, the protocol works as follows. A prover shares his witness to the 
relation Rq, and uses a semantically secure cryptosystem over the authenticated 
bulletin board Fbb to distribute the shares. The verifiers check their shares, and 
write the result of their verification on the bulletin board. Each verifier then 
checks that all verifiers accepted their shares. 

Protocol 2 (Zero-Knowledge Proof of Knowledge of Cleartext). Let 

t = [fc/2 — 1]. The zero-knowledge proof of knowledge of a cleartext protocol 
7T = (Pi, . . . , Pjv, Ml, . . . , Mk) consists of provers Pi, and verifiers Mj. 

Prover Pi. 

1. Wait until (•, M^ , Keys, j/jp, . . . , yj^N) appears on Fbb for j = 1, . . . ,k. 

2. Wait for input (Prover, (g,y,Ui,Vi),ri), where g,y,Ui,Vi G Gq and ri G Zg. 

3. Choose Op; G Z^ randomly, define Pi{x) = r + ^nd compute 

ai,i = 9°“''' for / = 1, . . . ,t, Sjj = pi{j) for j = 1, . . . , fc , and 
Cpj — Ey^ , for j — 1, . . . , /c . 
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4. Hand (Write, Proof, {g, y, m, v^), (a*,i, . . . , a*,t, Ci,i, . . . , Ci^k)) to J^bb- 
Verifier Mj. 

1. Generate El Gamal keys (xj-y, yj^i) for i = 1, . . . , N, and hand 

(Write, Keys, .. . to IUbb- 

2. On input (Question, Pi, (g,y,Ui,Vi)) do: 

a) If {■, Pi, Proof, {g,y,Ui, Vi), . . , Oj,*, . . . ,C,^k)) can not be 

found on ^bb> then output (Verifier, P^, 0). Otherwise continue. 

b) Gompute Sij = Dx^ ^{Cij), and verify that aji- If so set 

bjy = 1, otherwise = Xjy. Hand (Write, Judgement, P^, to Pbb- 

c) Wait until (•, M[, Judgement, Pi, bi^i) appears on Pbb for ,k. 

d) Do the following for I = 1, . . . , k: 

i. If big = I, then set b'n = 1. 

ii. If big yf I then check if yig = If not set b'n = 1. If so compute 

Si,i = Db, ^{Cig), and verify that HLi ^ so set b[^^ = 1 

and otherwise set ^ = 0. 

c) fo X)f=i b'i^ = ksetb = 1 and otherwise 0. Then output (Verifier, Pi, b). 



Lemma 3. Protocol 2 securely realizes the ideal functionality in the 
pBB-hybrid model with respect to Aik/2~0'dversaries under the DDH- 
assumption in Gg. 

Each prover computes 2k + t full exponentiations in Gg. Each verifier com- 
putes 2 full exponentiations in Gg for each prover. 

The above protocol differs from the original protocol of Feldman [13] in that it 
does not require any interaction from the prover. To achieve this each verifier 
must generate an El Gamal key for each prover. 

In order to use a single key for each mix-server we would need a cryptosystem 
secure against adaptive Ghosen Giphertext Attacks (GGA-attacks) in the sense 
of Rackoff and Simon [42] . Gramer and Shoup [9] show that their cryptosystem 
is GGA-secure under the DDH-assumption, so there exists such a cryptosystem. 
There are two drawbacks of this approach. Firstly, the complexity of the prover 
increases. Secondly, a verifier is no longer able to verify the correctness of a 
false complaint, since the complaining verifier is unable to reveal its private key 
(revealing the key reveals the witnesses of honest provers) . It can be shown that 
this variant is only secure for AI„/ 3 -adversaries. 

If there are very few corrupted provers a combination of the two methods 
is possible. For the provers a GGA-secure cryptosystem is used, but instead of 
revealing the key to complain, a verifier proves the correctness of its claim in 
zero-knowledge to the other verifiers, but using a protocol similar to the above. 

A GGA-secure cryptosystem that has the property that a decryptor can show 
directly to a third party the contents of a cryptotext without revealing its key 
would also solve the problem. Such a cryptosystem can be constructed under 
strong assumptions (cf. [4]). 
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4.2 A Realization of JFBB-Hybrid Model 

Neff [33] and independently Furukawa and Sako [15] presents elegant ideas for 
proving the correctness of a shuffle, and Groth [23] recently refined the ideas of 
Neff [33], and gave a more rigorous analysis. Presently we are unable to transform 
any of these protocols into a UC-secure zero-knowledge proof without loosing the 
efficiency of the original protocol. The approach of Desmedt and Kurosawa [10] 
is better suited to the extraction requirements of the UC-framework, but their 
protocol allows malicious verifiers to make honest verifiers reject the “proof” of 
an honest prover. This means that their “proof” is not a realization of a proof 
of knowledge according to Functionality 4. They use global properties to avoid 
this difficulty, but in our modularized approach this is difficult. Furthermore, we 
need a proof of correctness of a decrypt shuffle instead of a re-encryption shuffle. 

We construct a secure realization of using similar ideas as Desmedt 

and Kurosawa, that is practical if the number of verifiers is small, or if a strong 
majority of the mix-servers are honest. The following definition uses several 
different partitions of the verifiers such that there is one partition such that each 
block contains at least one honest verifier, and such that all partitions have the 
property that there is one block that contains no corrupt verifiers. 

Definition 4 ((fc, t)-set system). Let S = {Mi, . . . , M^} be a set. A {k, t)-set 
system is a family F = {T\, . . . ,Td\ of {t+l)-partitionsTi = {Wi^i, . . . ,Wi^t+i\ 
of S, such that VA C S, | A| = t, 3T G F such that VIK G T we have W A. 

If there exists a (t, fc)-set system, there exists such a set system with a minimal 
value of d. It is not hard to see that d grows exponentially with k when t/k is 
constant. However, if k = {t + l){t + 1) any partition Ti such that |IFijj = t+1 
suffices, and for some practical values of k and t the value of d is not terribly 
large, i.e. (fc,t)-set system can be found by brute force search. For example if 
fc = 10, f = 4 then F = {Tq, . . . ,T 4 }, where Ti = {{j + i mod 5, j -I- 5}}®^g, 
suffices and d = 5. More details on set systems can be found in [10]. 

Our protocol is based on a (fc, t)-set system and works as follows. The prover 
constructs a chain L = Lq, . . . , Lt+i = L' of lists and a list (ai, . . . , at+i) 
for each partition in the set system. The ap-S are randomly chosen under the 
restriction ai = y. The lists are randomly chosen under the restriction 

ii9,hnlth ai,Li-i,Li),wi) G Rbs for ? = 1, . . . , t-l- 1. The witnesses wi of 

the relations in a chain are encrypted with a semantically secure cryptosystem 
using the keys of the verifiers, and written on the bulletin board. The length of 
each chain is f -I- 1, which ensures that t corrupted verifiers gets no information. 
The number of chains and how the links are revealed are determined by the 
(fc, t)-set system in such a way that there is at least one chain in which all links 
are revealed to the set of honest verifiers. This ensures the immediate extraction 
required by the UC-framework. 

Protocol 3 (Zero-Knowledge Proof of Correct Decrypt-Shuffie). The 

proof protocol tt = (Pi, . . . , P^, Mi, . . . , M^) consists of provers Pj, and verifiers 




A Universally Composable Mix-Net 327 



Mj. Let t = B — 1 and F = {Ti, . . . , Td}, where Tj = . . . , be a 

{k,t)-set system known by all participants. 

Prover Pi. 

1. Wait until (•, Mj, Keys, j/j^i, . . . , yj^k) appears on IFbb for j = 1, . . . ,k. 

2. Wait for input (Prover, {g, h, y, L, L'), (x, tt, Lr)). 

3. Do the following for 7 = 1, . . . ,d: 

a) Set L.yfi = L, and L77-1-1 = L'. 

b) Choose ,ajd+i G randomly under the restriction that x = 

®7,i) and define = (7“^’', and [3^^,, = Y\l=l ct-y.i- 

c) For I = 1, . . . ,t choose a list randomly under the restriction that 

((5, G i?ps for some witness 

d) Let Wjd+i be defined by ((5, /i, G i?DS- 

e) Compute C'.yj = Ey^ .{wj^i) where the relation between j and I is given 

by j G IF7,/, for j = 1, . . . ,k and / = , t -P 1. 

4. Hand {\irite, Proof, {ajd+i,{<^-f,hI^i,iYi=iAC^7,j}j=i}j=i) to J'bb- 

Verifier Mj. 

1. Generate El Carnal keys (xjy, yj^t) for z = 1, . . . ,k, and hand 
(Write, Keys, z/j,i, .. . ,yj^k) to .T^bb- 

2. On input (Question, Pj, (5, ft,, y, L, L')) do: 

a) If (•, Pi, Proof, can not be found 

on Pbb output (Verifier, Pj, 0). Otherwise continue. 

b) Do the following for 7 = 1, . . . ,d: 

i. Set = L, and = L' . 

ii. Compute i(Cjj), where I is defined by j G IF7,/. 

iii. Verify that y = and {{g,hP^j+i,ajj,L^^i-i,L^^i),Wj^i) G 

Pds- If so, set 6j,.y = 1 and otherwise ftj,-y = Xjj. 

c) Hand (Write, Judgement, P^, {6j_.y};J_]^) to Pbb 

d) Wait until (•, Mj>, Judgement, Pi, {ftj',7}lj=i) appears on Pbb for j' ^ j. 

e) Do the following for 7 = 1, . . . ,d and / = !,... ,k: 

i. If ftj',^ = 1, set 6'/ = I. 

ii. If bj'^j ^ 1, check if ftjy.^ is the private key corresponding to yy ,i- If 

not set 6', = I. If so, compute = Di,., .^(C^.j')) where I is de- 

fined by/ G M/j, and check if ((g,ft/3^j+i,a^j,P^j_i,P^j),'u;-^j) G 
Pds and y = Olii 0:7,1- If so set = 1, and otherwise set 6/..^ = 0. 

I) II X)j'=i X)7=i ^j',7 = then set ft = I and otherwise ft = 0. Then 
output (Verifier, Pi, ft). 



Lemma 4. Let B < k/2. Protocol 3 securely realizes the ideal functionality 
zn the pBB-hybrid model with respect to A4 b - adversaries under the DDH- 
assumption in Gq. 

Each prover computes 0{5dtN) exponentiations in Gq, and each verifier com- 
putes 0{4dN) exponentiations in Gq for each prover. 
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In both Protocol 2 and 3 the El Gamal cryptosystem could be replaced by 
any semantically secure cryptosystem, under potentially stronger assumptions. 
Alternatively the ideal functionality for secure single message transmission could 
be used since each key is only used once, but that would require that the ideal 
functionality is altered to allow a receiver to “publish its private key” . 

The value of d, and the complexity of the protocol grows exponentially with 
the number of mix-servers ii t/k is constant, but when the number of mix-servers 
is small, e.g. fc = 14 and t = 6, or if there is a strong majority of honest mix- 
servers, e.g. t = Vk, our scheme is practical. 

5 Combining the Results 

At this point combining the results to show that we have securely realized a 
universally composable mix-net is easy. 

Theorem 1. Let tt be the composition of Protocol 1, with Protocol 2 and Proto- 
col 3. Then tt securely realizes IFmn in the (Tbe , IFkg) -hybrid model with respect 
to Aik/ 2 -O'dversaries under the DDH-assumption in Gq. 



Corollary 1. The composition of tt and ttbb securely realizes IFmn in the IFkg- 
hybrid model with respect to blocking Aik/ 2 ~adversaries under the DDH- 
assumption in Gq. 

Our mix-net is not “universally verifiable” , i.e. an individual outsider can not 
verify the correctness of an execution. On the other hand nothing prevents the 
mix-servers to prove the correctness of a decrypt-shuffle to any set of outside 
verifiers such that the majority are honest. Furthermore, in some scenarios the 
assumption on the maximum number of corrupted mix-servers is well founded. 

We require an ideal distributed key generation functionality. The natural next 
step is to try to find a protocol that securely realizes this functionality under 
various reasonable assumptions. Another interesting line of research is to find 
more efficient secure realizations of and in various models. Scenarios 
where the number of mix-servers is large should also be considered. 



Acknowledgments. I am grateful to Johan Hastad for his advice and support. 
I had discussions with Gunnar Sjodin. My discussions with Rafael Pass encour- 
aged me to do this work. Andy Neff and Jun Furukawa kindly answered all 
my questions about their respective constructions. I also thank the anonymous 
referees for their advise. 

References 

1. M. Abe, Universally Verifiable mix-net with Verification Work Independent of the 
Number of Mix-centers, Eurocrypt ’98, pp. 437-447, LNCS 1403, 1998. 




A Universally Composable Mix-Net 329 



2. M. Abe, Flaws in Some Robust Optimistic Mix-Nets, In Proceedings of Information 
Security and Privacy, 8th Australasian Conference, LNCS 2727, pp. 39-50, 2003. 

3. D. Beaver, Foundations of secure interactive computation, Crypto ’91, LNCS 576, 
pp. 377-391, 1991. 

4. R. Canetti, Towards realizing random oracles: Hash functions that hide all partial 
information. Crypto ’97, LNCS 1294, pp. 455-469, 1997. 

5. R. Canetti, Security and composition of multi-party cryptographic protocols. Jour- 
nal of Cryptology, Vol. 13, No. 1, winter 2000. 

6. R. Canetti, Universally Composable Security: A New Paradigm for Cryptographic 
Protocols, http://eprint.iacr.org/2000/067 and ECCC TR 01-24. Extended ab- 
stract appears in 42nd FOCS, IEEE Computer Society, 2001. 

7. D. Chaum, Untraceable Electronic Mail, Return Addresses and Digital Pseudo- 
nyms, Communications of the ACM - CACM ’81, Vol. 24, No. 2, pp. 8-4-88, 1981. 

8. R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally Composable Two-Party 
and Multi-Party Secure Computation, 34th STOC, pp. 494-503, 2002. 

9. R. Cramer, V. Shoup, A Practical Public Key Cryptosystem Provably Secure 
against Adaptive Chosen Ciphertext Attack, Crypto ’98, pp. 13-25, LNCS 1462, 

1998. 

10. Y. Desmedt, K. Kurosawa, How to break a practical MIX and design a new one. 
Eurocrypt 2000, pp. 557-572, LNCS 1807, 2000. 

11. D. Dolev, C. Dwork, M. Naor, Non-Malleable Cryptography, 23rd STOC, pp. 542- 
552, 1991. 

12. T. El Carnal, A Public Key Cryptosystem and a Signature Scheme Based on Dis- 
crete Logarithms, IEEE Transactions on Information Theory, Vol. 31, No. 4, pp. 
469-472, 1985. 

13. P. Feldman, A practical scheme for non-interactive verifiable secret sharing, In 
Proceedings of the 28th FOCS, pages 427-438, 1987. 

14. A. Fujioka, T. Okamoto and K. Ohta, A practical secret voting scheme for large 
scale elections, Auscrypt ’92, LNCS 718, pp. 244-251, 1992. 

15. J. Furukawa, K. Sako, An efficient scheme for proving a shuffle. Crypto 2001, 
LNCS 2139, pp. 368-387, 2001. 

16. J. Furukawa, H. Miyauchi, K. Mori, S. Obana, K. Sako, An implementation of a 
universally verifiable electronic voting scheme based on shuffling. Financial Cryp- 
tography ’02, 2002. 

17. R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Secure Distrubuted Key Generation 
for Discrete-Log Based Cryptosystems, Eurocrypt ’99, LNCS 1592, pp. 295-310, 

1999. 

18. O. Goldreich, S. Micali, and A. Wigderson, How to Play Any Mental Game, 19th 
STOC, pp. 218-229, 1987. 

19. S. Goldwasser, L. Levin, Fair computation of general functions in presence of im- 
moral majority. Crypto ’90, LNCS 537, pp. 77-93, 1990. 

20. S. Goldwasser, Y. Lindell, Secure Multi-Party Computation Without Agreement, 
In Proceedings of the 16th DISC, LNCS 2508, pp. 17-32, 2002. 

21. S. Goldwasser, S. Micali, Probabilistic Encryption, Journal of Computer and Sys- 
tem Sciences (JCSS), Vol. 28, No. 2, pp. 270-299, 1984. 

22. P. Golle, S. Zhong, D. Boneh, M. Jakobsson, A. Juels, Optimistic Mixing for Exit- 
Polls, Asiacrypt 2002, LNCS, 2002. 

23. N. Groth, A Verifiable Secret Shuffle of Homomorphic Encryptions, PKC 2003, pp. 
145-160, LNCS 2567, 2003. 

24. M. Jakobsson, A Practical Mix, Eurocrypt ’98, LNCS 1403, pp. 448-461, 1998. 




330 



D. Wikstrom 



25. M. Jakobsson, Flash Mixing, In Proceedings of the 18th ACM Symposium on 
Principles of Distributed Computing - PODC ’98, pp. 83-89, 1998. 

26. M. Jakobsson, A. duels, Millimix: Mixing in small batches, DIMACS Techical re- 
port 99-33, June 1999. 

27. M. Jakobsson, A. duels, An optimally robust hybrid mix network, In Proceedings of 
the 20th ACM Symposium on Principles of Distributed Computing - PODC ’01, 
pp. 284-292, 2001. 

28. Y. Lindell, A. Lysyanskaya, T. Rabin, On the Composition of Authenticated Byzan- 
tine Agreement, 34th STOC, pp. 514-523, 2002. 

29. S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosys- 
tems, SIAM Journal of Computing, Vol. 17, No. 2, pp. 412-426, 1988. 

30. S. Micali, P. Rogaway, Secure Computation, Crypto ’91, LNCS 576, pp. 392-404, 
1991. 

31. M. Michels, P. Horster, Some remarks on a reciept-free and universally verifiable 
Mix-type voting scheme, Asiacrypt ’96, pp. 125-132, LNCS 1163, 1996. 

32. M. Mitomo, K. Kurosawa, Attack for Flash MIX, Asiacrypt 2000, pp. 192-204, 
LNCS 1976, 2000. 

33. A. Neff, A verifiable secret shuffle and its application to E-Voting, In Proceedings 
of the 8th ACM Conference on Computer and Commnnications Security - CCS 
2001, pp. 116-125, 2001. 

34. A. Neff, Personal eommunieation, 2003. 

35. V. Niemi, A. Renvall, How to prevent buying of votes in computer elections, Asi- 
acrypt’94, LNCS 917, pp. 164-170, 1994. 

36. W. Ogata, K. Kurosawa, K. Sako, K. Takatani, Fault Tolerant Anonymous Chan- 
nel, Information and Communications Security - ICICS ’97, pp. 440-444, LNCS 
1334, 1997. 

37. C. Park, K. Itoh, K. Kurosawa, Efficient Anonymous Channel and All/Nothing 
Election Scheme, Eurocrypt ’93, LNCS 765, pp. 248-259, 1994. 

38. T. Pedersen, A threshold cryptosystem without a trusted party, Eurocrypt ’91, 
LNCS 547, pp. 522-526, 1991. 

39. B. Pfitzmann, Breaking an Efficient Anonymous Channel, Eurocrypt ’94, LNCS 
950, pp. 332-340, 1995. 

40. B. Pfitzmann, A. Pfitzmann, How to break the direct RSA-implementation of mixes, 
Eurocrypt ’89, LNCS 434, pp. 373-381, 1990. 

41. B. Pfitzmann, M. Waidner, Composition and Integrity Preservation of Secure Re- 
active Systems, 7th Conference on Computer and Communications Security of the 
ACM, pp. 245-254, 2000. 

42. C. Rackoff, D. Simon, Noninteractive zero-knowledge proofs of knowledge and cho- 
sen ciphertext attacks, 22nd STOC, pp. 433-444, 1991. 

43. K. Sako, J. Killian, Reciept-free Mix-Type Voting Scheme, Eurocrypt ’95, LNCS 
921, pp. 393-403, 1995. 

44. C. Schnorr, M. Jakobsson, Security of Signed El Carnal Encryption, Asiacrypt 
2000, LNCS 1976, pp. 73-89, 2000. 

45. Y. Tsiounis, M. Yung, On the Security of El Carnal based Encryption, International 
workshop on Public Key Cryptography, LNCS 1431, pp. 117-134, 1998. 

46. D. Wikstrom, Eive Practical Attacks for “Optimistic Mixing for Exit-Polls”, to 
appear in proceedings of Selected Areas of Cryptography (SAC), LNCS, 2003. 

47. D. Wikstrom, A Universally Composable Mix-Net, manuscript will be available at 
http : / /epr int . iacr . org/ . 




A Universally Composable Mix-Net 331 



A Proofs 

Because of space restrictions we are unable to present proofs of all claims in 
this conference version. We present shortened proofs of Lemma 2 and Lemma 4. 
Proofs of all claims are given in the full version of this paper [47]. 

Proof (Lemma 2). We describe an ideal adversary 5(-) that runs any hybrid 
adversary A' = black-box. Then we show that if S does 

not imply that the protocol is secure, then we can break the DDH-assumption. 

The Ideal Adversary S. Let Ip and Im be the set of indices of partic- 
ipants corrupted by A of the sender type and the mix-server type respec- 
tively. The ideal adversary S corrupts the dummy participants Pi for which 
i G Ip, and the dummy participants Mi for which i G Im- The ideal adver- 
sary is best described by starting with a copy of the original hybrid ITM-graph 

^ jf^DS 

(V,E) = Z'{(H{A' , where Z is replaced by a machine 

Z' . 

The adversary S simulates all machines in V except those in A', and the 
corrupted machines Pi for i G Ip and Mi for i G Im under A:s control. We now 
describe how each machine is simulated. 

S simulates the machines Pi, i ^ Ip, and the ideal functionalities IFbb, 
and IFkg honestly. All Mj for j ^ Im are also simulated honestly, except for Mi , 
where I is chosen as the maximal index not in Im, i-C. the last honest mix-server. 
The machine Mi plays a special role. 

Simulation of Links (Z,A), {Z,Pi) for i G Ip, and {Z,Mj) for j G Im- S 
simulates Z' , Pi, for i G Ip, and Mj for j G Im, such that it appears as if Z 
and A, Z and Pi for i G Ip, and Z and Mj for j G Im are linked directly. For 
details on this see [47]. 

Extraction from Corrupt Mix-Servers and Simulation of Honest Mix-Servers. 
When a corrupt mix-server Mj, for j G Im, writes Run on .T^bb, S must make 
sure that Mj sends (Run) to .T^mn • Otherwise it may not be possible to deliver an 
output to honest mix-servers. If an honest dummy mix-server Mj, for j ^ Im, 
receives (Run) from Z, S must make sure that Mj receives (Run) from Z' . If an 
honest mix-server Mj, for j ^ Im, outputs (Output, L'), S must make sure that 
Mj does the same. This is done as follows. 

1. Let j G Im- If (-,Mj,Run) appears on Ebb Mj hands (Run) to .T^mn- When 
S receives (5, M^,Run) or ((5, M,, Output, L'), {(M/, t;)}[L;^) from Cp the 
simulation of .T^bb is continued. 

2. Let j ^Im- 115 receives {S,Mj, Run) or ((5, M^, Output, L'), {(M;, t;)}[L^) 
from .?>iN) 2' hands (Run) to Mj. 

3. Let j ^ Im- If Z' receives (Output, L') from Mj, S instructs Cp to deliver 
(Output, L') to Mj. 

Extraction from Corrupt Senders and Simulation of Honest Senders. If a corrupt 
sender Pi, for i G Ip, in the hybrid protocol produces a cryptotext and informs 
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such that its input is deemed valid, then S must make sure that this message 
is extracted and given as input to IFmn by Pi. 

When an honest dummy sender P^, for i ^ Ip, receives a message Wj from 
Z, S must ensure that Pi receives some message m' from Z' . But S can not see 
nii, and must therefore hand some other message m[ yf m,i to Pi, and then later 
fix this flaw in the simulation before A' or Z notice it. This is done as follows. 

1. Let i G Ip. Until S receives ((5, My, Output, P'), {(Mj, from Cp. 

a) IfP^K receives (Pj, Prover, (g, y, u*, Ui), ri) such that {{g,y,Ui,Vi),n) G 
Rus, then consult the storage of Pbb and look for a pair (c. Pi, {ui, Vi)). 

b) If Pbb receives (Pi, Write, (u^, Ui)) then look if stored ri under 

{Pi,{g,y,Ui,Vi)) such that {{g,y,Ui,Vi),n) G Pds- 

If such a pair [{c. Pi, (ui,Vi)), {Pi, {g,y,Ui,Vi),ri}] is found then Pj sends 
TTii = Viy~'^' to Pmn and ignores further such pairs. When Pmn writes 
(PjjSend) to S, the simulation, of or Pbb respectively, is continued. 

2. Let i ^ Ip. When S receives (Pi, Send) from Pmn, then Z' sends a randomly 
chosen message m' G Gq to Pi. 

How Ml and P^® fix the flaw in the simulation. S must make sure that the 
faulty messages m' yf nii introduced during simulation of honest senders, because 
it does not know the real messages nii of the honest dummy participants Pi for 
i G ip, are not noticed. This is done by modifying Mi and P^® as follows. 

1. If P^® receives a tuple (My, Question, Mj, ((/, j/;, L/_i, L;)) it verifies 
that a tuple on the form (M;, Proven, ( 5 , j/p L;_i, Lj), •) has been re- 
ceived. If so it sets b = I and otherwise 6=0. Finally it hands to Cp 
((S, My, Verifier, Mi, {g, hi+i,yi, Li^i, Li),b), (My, Verifier, Mi, 6)). 

2. Ml does the following instead of Step 7b in the protocol. Let L' = {mi}(^;^, 

and note that by construction S has received ((5, My, Output, L'), . . . ), i.e. 
it knows L' . Mi chooses ny G Z^, and tt/ G Pat randomly, and computes 
the list Li = {(Miy,u/,j)}iti = {(v’''’S Finally it hands 

(Proven, (g,/i;+i,i//,P;_i,P,),-) toP^x®, and (Write, (List, P;)) to Pbb- 

The first step ensures that P^® plays along with M/ and pretends to other My 
that Ml did prove his knowledge properly. The second step ensures that Mi fixes 
the flaw in the simulation introduced by S at the point when it did not know 
the messages sent by honest dummy participants Pi, for i ^ Ip. 

This concludes the definition of the ideal adversary S. 

Reaching a Contradiction. Next we show, using a hybrid argument, that if 
the ideal adversary S defined above does not imply the security of Protocol 1, 
then we can break the DDH-assumption. 

Suppose that S does not imply the security of the protocol. Then there exists 
a hybrid adversary A! = yl(‘5BB,5KG,5zK j-Szk an environment Z with auxiliary 
input z = {zn}, a constant c > 0 and an infinite index set Af C N such that for 
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n G AT: |Pr[Z^(I(5,#-^“N)) = 1] - Pr[Z^CH(^', .* 4 ))) = 
1]| > where S runs Al' as a black-box as described above, i.e. S = 5(Al'). 

Defining the Hybrids. Without loss we assume that {1, . . . , N}\Ip = {!,... , 77 }, 
and define an array of hybrid machines Tq,. . . , T^. Set Tq = 
and then define Tg by the following modification to Tq. 

1. When S receives {Pi, Send) from A'mn, for i ^ Ip, it checks if t G {1, . . . , s}. 

If so it consults the storage of A'mn to find the message nit sent by Pi. Then 

Z' sends nii to Pi. Otherwise Z' sends a random message m' G to Pi. 

By inspection of the constructions we see that the output of is identically 

distributed to the output of .'"■ 4 ^’^ ))) since the only 

essential difference is that Mi does not hand knowledge of his transformation to 
^ but ignores M;’s inability so this is not discovered by A or Z. 

If we set Ps = Pr[Ts = 1], we have ^ <\po~Pn\< Ya=i \Ps-i ~ Ps\, which 
implies that there exists some fixed 0 < s < 77 such that |ps-i — Ps| > 77^ > 7^- 

Defining a Distinguisher. We are now finally ready to define a distinguisher D. 

D is confronted with the following test. An oracle first chooses a,/3,7 G Z^ 
and a bit & G {0, 1} randomly and defines {y[, u, v) = ((/“, g^ , Then 

D is given (y[,u,v) and the task is to guess b. D does the following. It replaces 
yi in Mp.s key generation by y^. This does not change the distribution of this 
key and thus does not change any of the hybrids. Since Mi appears to behave 
honestly (with the help of the fact that Mi does not know a = log^ y[ is 

never revealed, and since less than k/2 mix-servers are corrupted a need never 
be recovered. D then simulates Tg until Pg receives the message (Send, ttTs), at 
which point it forms {u' ,v') = {u,v^i*’-^^ vrrig). Then Pg is modified to hand 
(Write, {u' ,v')) to IFbb, and (Prover, {g,y,u' ,v'), 1) to Furthermore, 
is modified to a handle this message as if {{g,y,u',v'),l) G Rq, i.e. it will 
essentially lie on Pi’s behalf. D then continues the simulation of Tg until it 
outputs a bit b' , which is then output by D. 

If {y[, u, v) is a Diffie-Hellman triple, then {u' , v') is a valid encryption of rUg 
and the output of D is identically distributed to the output of Tg. If on the other 
hand {y{, u, v) is a random triple, then {u' , v') corresponds to an encryption of a 
random message m'g, i.e. the output of D is identically distributed to Tg-\. We 
conclude that \Vr[D{g^ ,g!^ ,g'^) = 1 ] - Pr[D( 5 “, = 1 ]| = |ps_i - pg\ > 

which contradicts the DDH- Assumption, and the theorem is true. 

Proof (Lemma 4)- We describe an ideal adversary 5(-) that runs any hybrid 
adversary A! = as a black-box. Then we show that if S does not 

imply that the protocol is secure, then we can break the DDH-assumption. 

The Ideal Adversary S. Let Ip and Im be the set of indices of participants 
corrupted by A of the sender type and the mix-server type respectively. The 
ideal adversary S corrupts the dummy participants Pi for which i £ Ip, and 
the dummy participants Mj for which j G Im- The ideal adversary is best 
described by starting with a copy of the original hybrid ITM-graph {V, E) = 
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Z' {T-L{A ' where we have replaced Z by a machine Z' . The adversary S 
simulates all machines in V except for those in A' , and the corrupted machines 
Pi for i G Ip and Mi for i G Im under ^':s control. S simulates .T^bb honestly. 

Simulation of Links (Z,A), {Z,Pi) for i G Ip, and {Z,Mj) for j G Im- S 
simulates Z', Pi, for i G Ip, and Mj for j G Im, such that it appears as if Z 
and A, Z and Pi for i G Ip, and Z and Mj for j G Im are linked directly. For 
details on this see [47]. 

Simulation of Honest Verifiers. When an honest verifier Mj, for j ^ Im, re- 
ceives {Question, Pi, (g,h,y, L, L')) from ^ must ensure that the simu- 

lated honest verifier Mj receives {Question, Pi, {g,h,y, L, L')) from Z' . When 
the simulated honest verifier Mj hands (Verifier, Pj, &) to Z' , S must ensure 
that (Verifier, Pj, b) is delivered to Mj. This is done as follows. 

1. Let j ^ Im- If S receives {{S, Mj,VerifieT,Pi,{g,h,y, L, L'),b),{Mj,Tj)) 
from Cx, Z' hands (Question, Pi, {g, h, y, L, L'f) to Mj. 

2. Let j ^ Im- If Z' receives (Verifier, P^, 6) from Mj, S hands (l,Tj) to Ci, 
i.e. S instructs Cx to deliver (Verifier, Pj, 6) to Mj. 

Simulation of Honest Provers. If an honest dummy prover Pi, for i ^ Ip, receives 
a message (Prover, {g, h, y, L, L'), iv) from Z, S must ensure that Pi constructs 
a simulated proof deemed valid by the verifiers Mj despite that S does not know 
w. To be able to do this S must ensure that the honest mix-servers Mj, for 
j ^ Im, do not complain. This is done as follows. 

1. Let j ^ Im- Mj follows its program except that if i ^ /p it always sets 
bj^-y = 1 in Step 2(b)iii (i.e. it never decrypts anything encrypted with yjy)- 

2. Suppose that S receives {S, Pp Prover, {g, h, y, L, L'), 1) from Cx for i ^ Ip. 

By construction there exists for each 7 some partition fl /m = 0- 

S hands (Prover, {g, h, y, L, L'), •) to Pi, where Step 3 in the program of Pi 
is replaced by the following. For 7 = 1, . . . ,d: 

a) Set Ly Q ~ L, and Ly f-\-\ ~ LI 

b) Choose G Z,, for I ^ (y, randomly and define ayj = g°"^-‘ for I ^ (y, 

and /3yy = Ultl oiyj. 

c) For I = 1, . . . — 1 choose a list Lyj randomly under the restriction 

that {{g,hPyjpi,ayj,Ly i_i,Lyj),Wyj) G Pds for some witness Wyj. 
For I = t, ..., Cy choose a list Lyj randomly under the restriction that 
{{g,hj3yj+2,ayj+i,Lyj,Lyj+i),Wyj+i) G Pds for some witness Wyj+i. 

d) Define Wy^.., = (1,1,... , 1). 

e) Compute Cyy = Eyy .{wyj) where the relation between j and I is given 
by j G Wyj, for j = 1, . . . ,k and 1 = 1,... ,t+l. 

Note that all components of the (corrupt) proof of Pi above except Cy^j for 
j G and 7 = 1, . . . ,d are identically distributed to the proof of a prover 

following its program. 

Extraction from Corrupt Provers. If a corrupt prover Pi, for i G Ip, constructs a 
valid proof of knowledge, S must extract the knowledge and forward it to ■ 
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S does this as follows. By construction there exists an 0 < a < d and a list 
, . . . , , such that G Wa^i, and ^ /p for / = 1, . . . , t -|- 1. 

1. Suppose that (•, Pp Proof , fort G Ip, 

appears on Pbb- S interrupts the simulation of Pbb when Pbb receives 
a message on the form (Write, Verifier, Pj, from Mj and such 

messages has been received from all other mix-servers. 

S then checks if the proof is deemed valid by the provers by performing the 
tests of Step 2(e)ii. If so S does the following. 

a) It computes Waj = Dx^, i{Ca,u>i) for t = 1, . . . ,t-|- I. 

b) From ,Wa,t+i it is trivial to compute a witness w such that 

{{g,h,y,L,L'),w) G Rbs- 

c) Finally S hands {Pr over, (g,h,y, L, L'),w) to Pi (who forwards it to 

When S receives (5, Pp Prover, ((/, /i, j/, L, P'), 1) from P^® it 
continues the simulation of Pbb • 

Reaching a Contradiction. Next we show, using a hybrid argument, that 
if the ideal adversary S defined above does not imply that Protocol 3 is secure, 
then we can break the DDH-assumption. 

Suppose that S does not imply the security of the protocol. Then there 
exists a hybrid adversary A' = an environment Z with auxiliary input 

z = {zn},& constant c > 0 and an infinite index set Af C N such that for n G Af: 
|Pr[Z 2 (P( 5 , 7 r-^zK®)) = 1 ] = 1]| > where S runs A' 

as a black-box as described above, i.e. S = 5(Al'). 

Defining the Hybrids. Without loss we assume that {!,... , N}\Ip = {!,... , 77 }. 
We define Tq = Zz{P{S{A'),tt^^k^)), and then define Tg by the following mod- 
ifications to Tq. 

1. When S receives (Prover, Pj, (g, /i, y, L, L'), 1) for i ^ Im, it checks if 
i G {1, . . . , s}. If so, 5 consults the internal storage of P^® and finds 
the w stored under the tag {Pi,{g,h,y,L,L')). Then it runs a Pi following 
the protocol on input (Prover, {g, h, y, L, L'),w). If i ^ {1, . . . , s}, then the 
simulation of Pi proceeds as outlined above. 

By inspection of the constructions we see that is identically distributed to 
Zz{T-L{A ' since the only essential difference is that honest verifiers do 
not verify the proofs of honest provers, but this is never noticed by A' or Z. 

If we set Ps = Pr[Ts = 1], we have :^ < \po - Pn\ < Z)Li \Ps-i ~ Ps\, which 
implies that there exists some fixed 0 < s < g such that |ps-i — Ps| > 77 ^ > 7^- 

Completing the Proof. We only argue informally for the remainder of the proof. 
For a formal proof we refer the reader to [47]. Informally we have shown that 
there is an adversary and an environment that can distinguish executions where 
the s:th prover follows its program and encrypts real shares of its proof, and 
executions where the s:th prover encrypts ( 1 , 1 , . . . , 1 ), for the honest verifiers. 
From this observation we construct a distinguisher. A hybrid argument shows 
that this distinguisher violates the DDH-assumption. 
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Abstract. We consider compositional properties of reactive systems that are se- 
cure in a cryptographic sense. We follow the well-known simulatability approach 
of modem cryptography, i.e., the specification is an ideal system and a real system 
should in some sense simulate this ideal one. We show that if a system consists 
of a polynomial number of arbitrary ideal subsystems such that each of them has 
a secure implementation in the sense of blackbox simulatability, then one can 
securely replace all ideal subsystems with their respective secure counterparts 
without destroying the blackbox simulatability relation. We further prove our the- 
orem for universal simulatability by showing that blackbox simulatability implies 
universal simulatability under reasonable assumptions. We show all our results 
with concrete security. 



1 Introduction 

In recent times, the analysis of cryptographic protocols has been getting more and more 
attention, and thus the demand for general frameworks for representing cryptographic 
protocols and their security requirements has been rising. To enable a cryptographically 
correct analysis of cryptographic protocols, such frameworks have to capture proba- 
bilistic behaviors, complexity-theoretically bounded adversaries as well as a reactive 
environment of the protocol, i.e., continuous interaction with users and an adversary, 
e.g., in many protocol runs. Clearly, such frameworks further have to be rigorously 
defined to avoid ambiguities and to enable convincing proofs. Moreover, it is highly 
desirable that such frameworks provide a link to formal methods, i.e., to tool-supported 
verification of cryptographic protocols. Tool support can minimize flaws, which occur 
quite often if the distributed-systems aspects of cryptographic protocols are analyzed 
by hand. One ingredient for this is that the model should contain an abstract machine 
model besides Turing machines. The model of Pfitzmann and Waidner [31] is suitable 
for all these requirements and we use it as a rigorous foundation of this work. 

The model of [31] introduced a notion of security-preserving refinement, called 
reactive simulatability. This notion captures the idea of refinement that preserves not 
only integrity properties but also confidentiality properties. Intuitively it can be stated 
as follows, when applied to the relation between a real and an ideal system: ' Everything 
that can happen to users of the real system in the presence of an arbitrary adversary A’ 
can also happen to the same users with the ideal system, where attack capabilities are 

* Other terms are implementation and specification, or in special cases cryptographic and abstract 
system. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 336-354, 2004. 
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usually much more restricted, in the presence of another adversary A. In particular, it 
comprises conhdentiality because the notion of what happens to users, called their view, 
not only includes their in- and outputs to the system, but also their communication with 
the adversary. This includes whether the adversary can guess secrets of the users or partial 
information about them. As it is often desirable to impose further restrictions on how the 
adversary A against the ideal service is constructed, simulatability comes in different 
flavors. The two most prominent ones (besides general simulatability as described above, 
which does not impose any restriction on A) are universal simulatability, which states 
that A has to be independent of the actual users of the protocol, and the (seemingly) 
more restrictive notion of black-box simulatability, which states that A consists of the 
original adversary A’ and a simulator that may only depend on the protocol itself. 

One of the key results in the considered model is a composition theorem [31]. It 
states that if a larger system is designed based on a specihcation of a subsystem, and 
the implementation of the subsystem is later plugged in, the entire implementation of 
the larger system is as secure as its design in the same sense of reactive simulatability. 
This theorem (as well as its predecessor [30] for a synchronous reactive model) holds 
for all variants of simulatability (general, universal, and blackbox), but it is restricted to 
replacing one system. Obviously, a constant number of systems can then be replaced by 
applying the theorem multiple times. 

In this work, we present a more comprehensive composition theorem for black- 
box simulatability by showing that a polynomial number (in a security parameter) of 
arbitrary systems can be composed without destroying the simulatability relation. The 
proof relies on what is often called a “standard hybrid argument” as first used in [15]. 
We further show that universal simulatability implies black-box simulatability under 
reasonable assumptions. This is of independent interest, but it in particular allows us to 
prove our theorem also for universal simulatability. We show all our results with concrete 
security. 

Related Literature. Simulatability was first sketched for secure multi-party function 
evaluation, i.e., for the computation of one output tuple from one tuple of secret inputs 
from each participant in [33] and dehned (with different degrees of generality and rig- 
orosity) in [14,6,27,9]. While composition theorems for special cases were proven in [6, 
27], the first general composition theorem for non-reactive simulatability was proven 
in [9]. 

An important step towards compositionality results of reactive systems was taken 
in [19,20], where the cryptographic security of specihc systems was directly dehned 
and verihed using a formal language, the 7r-calculus, and security was expressed using 
observational equivalence. This notion is even stronger than reactive simulatability be- 
cause the entire environment (corresponding to users and adversary together for reactive 
simulatability) must not be able to distinguish the implementation and the specihcation. 
Correspondingly, the concrete specihcations used were not abstract; they essentially 
comprise the actual protocols including all cryptographic details. Composition was de- 
hned in the calculus by dehning processes with “holes” for other processes, which then 
allows for composing a constant number of systems. 

A reactive simulatability dehnition was hrst proposed (after some earlier sketches, 
in particular in [13,29,9]) in [16]. It is synchronous, covers a restricted class of protocols 
(straightline programs with restricted operators, in view of the constructive result of this 
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paper), and simulatability is defined for the information-theoretic case only, where it can 
be done with a quantification over input sequences instead of active honest users. 

The first composition theorem for reactive simulatability was given in [30] for a 
general synchronous reactive model, followed by essentially the same composition the- 
orem [31] in the corresponding asynchronous model. Later than [31] but independently, 
another model of asynchronous reactive systems together with a composition theorem 
for reactive simulatability was developed in [10]. The theorem is specific for univer- 
sal simulatabilify, but for this case it is more general than the ones in [30,31] since it 
additionally allows for securely composing a polynomial number of copies of an ideal 
service, which naturally correspond to different protocol instances in the real implemen- 
tation. We stress that our composition theorem in this paper not only captures secure 
composition of a polynomial number of copies of one single ideal system but also of a 
polynomial number of truly arbitrary systems. However, our work was inspired by [10]. 

Besides considering composition as secure refinement, property-based composition 
has received interest in the literature: It considers the question whether systems that 
individually provide certain security properties still have these properties when they are 
run in parallel with other systems. For safety and liveness, general theories of this kind 
of compositionality exist [28,32,1], which are sufficient to reason about most functional 
system properties. However, many security properties are not safety and liveness prop- 
erties, in particular confidentiality. Compositional information flow properties were first 
investigated in [23]. After that, much work has been devoted to identifying properties 
which are preserved under composition like, e.g., restrictiveness [23,24], forward cor- 
rectability [18], or separability [25]. For certain security properties that are in general 
not preserved under composition, it is known how to restrict composition in order to 
preserve these properties [25,26]. More recent work concentrated on a uniform basis to 
reason about property-based composition [22,1 1]. 

Somewhere between both notions of composition, so-called preservation theorems 
exist, which state that specific properties are preserved under (reactive) simulatability. 
Such theorems exist for integrity [2], transitive and non-transitive non-interference [3, 
4], i.e., absence of information flow, and a class of liveness properties [5]. 

Outline. In Section 2 we review the model of reactive systems in asynchronous networks. 
Section 3 contains our composition theorem and its proof for black-box simulatability. 
In Section 4, we show that universal simulatability implies black-box simulatability and 
reasonable assumptions. In particular, this can be used to carry over our composition 
theorem for universal simulatability. 

2 Asynchronous Reactive Systems 

In this section, we review our model for secure reactive systems in an asynchronous 
network from [31]. Several definitions are only sketched whereas those that are important 
for understanding our results are given in full detail. All other details can be looked up 
in the original paper. 

2.1 General System Model 

Systems mainly consist of several interactive machines. Machines communicate via 
ports (local endpoints for different potential channels) and messages are strings over 
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Fig. 1. Ports and buffers. Specifications only need to spell out the black part 



an alphabet S. Inspired by the CSP-Notation [17], we write output and input ports as 
q! and q? respectively. As in similar models, channels are defined implicitly by naming 
convention (and not by a separate graph), that is port q! sends messages to q?. For 
asynchronous timing, a message is not immediately delivered to its recipient, but first 
stored in a special machine q called a buffer. If a machine wants to schedule the i-ih 
message of buffer q, it must have the unique clock-out port q^!, and it sends i at q^!, see 
Figure 1 . The buffer then outputs and deletes its i-ih message. For a port p, we write p‘^ to 
denote the port which it connects to according to Figure 1, i.e., q!° = q'*^?, q^!° = q?, 
q^!'^ = q^? and vice versa. The in- and output ports in a port set or port sequence P are 
denoted in(P) andout(P). 

Our primary machine model is probabilistic state-transition machines, similar to 
probabilistic I/O automata as in Lynch [21] (and also essentially in [6,27]). If a machine 
is switched, it receives an input tuple at its input ports and performs its transition function. 
This yields a new state and an output tuple in the deterministic case, or a finite distribution 
over such pairs in the probabilistic case. Moreover, each machine has a function bounding 
the length of the considered inputs; this allows flexible time bounds independent of the 
environment. 

Definition 1. (Machines) A machine is a tuple 

M = {nameu^PortsM, StatesM,6M,lM,IniM,F'LnM) 

of a name nameu G a finite sequence Portsu of ports, a set States m C E* of 

states, a probabilistic state-transition function <5m, o length function (m : Statesu 
(N U and sets Iniu, Finu Q Statesu of initial and final states. Its 

input set is := the i-th element of an input tuple denotes the input 

at the i-th in-port. Its output set is := The empty word, e, denotes 

no in- or output at a port. (5m probabilistically maps each pair (s, I) G States m x Xy\ 
to a pair (s',0) G Statesu x Ou- 

Two restrictions apply to (5m ■' Every output distribution has to be finite and if I = 
(e, . . . , e), then (5m (s, I) = (s, (e, . . . , e)). Inputs are ignored beyond the length bounds, 
i.e., (5m (s, I) = (5m (s, I\iM(s))fo^<^^^ I G P-m, where r\iforl G N,r G 25* denotes the l- 
symbol prefix, and the notation is lifted to tuples. We further demand lu{s) = (0, . . . ,0) 
for every s G Finu. ^ 

In the text, we often write “M” for name m- The set (in contrast to the sequence) of ports 
of a machine M is denoted by ports) M), and similar for sets of machines. 
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A collection C of machines is a set of machines with pairwise different machine 
names and disjoint sets of ports. The completion \C] of a collection C is the union of all 
machines of C and the buffers needed for every channel. A port of a collection is called 
free if its connecting port is not in the collection. These ports will be connected to the 
users and the adversary. The free ports of a completion \C] are denoted as free ([(7]). 
A collection C is called closed if its completion [ C] has no free ports except a special 
master clock-in port clk^?. 

A closed collection represents a “runnable” system and a probability space of runs 
(sometimes called traces or executions) is defined for it. Machines switch sequentially, 

i.e., we have exactly one active machine M at any time. If this machine has clock out- 
ports, it can select the next message to be delivered by scheduling a buffer via one of 
these clock out-ports. If the buffer contains a message at the selected position, it delivers 
this message, and the receiving machine is the next active machine. If M tries to schedule 
multiple messages, only one is taken, and if it schedules none or the message does not 
exist, the master scheduler X becomes active. Formally, runs are defined as follows. 

Definition 2. (Runs and Views) Let C be a closed collection with master scheduler X. 
Runs and their probability spaces are defined inductively by the following algorithm for 
each tuple ini G x^g^/nzM of initial states. The algorithm maintains variables for 
the state of each machine and treats each port as a variable over S*, initialized with e 
except for clk^? := 1. It further maintains a variable M^s (“current scheduler”) over 
machine names, initially Mcs := X, for the currently active non-buffer machine, and a 
variable r for the resulting run, an initially empty list. The algorithm has five phases. 
Probabilistic choices only occur in Phase 1. 

1. Switch current scheduler: Switch the current machine Mcs. s-. set (s', O) t— 
<^Mcs(®! I) its current state s and in-port values I. Then assign e to all in-ports 
of Mcs- 

2. Termination: 7f X is in a final state, the run stops. (As X made no outputs in this 
case, this only prevents repeated master clock inputs.) 

3. Stove ovXpvi^’. For each simple out-port o\ o/Mcs with o\ e, in their given order, 
switch buffer o with input o'*^? := o!. Then assign e to these ports o! and o^?. 

4. Clean up scheduling: If at least one clock out-port o/Mcs has a value ^ e, let n^! 
denote the first such port and assign e to the others. Otherwise let clk^? := 1 and 
Mcs X and go to Phase 1. 

5. Deliver scheduled message: Switch buffer n with input n^? := n^!, set n? := n'*^! 
and then assign e to all ports ofri and to n^!. /f n? = e Zet clk^? := 1 and Mcs •= X. 
Else let Mcs M'/or the unique machine M' with n? G ports(M'). Go to Phase 1. 

Whenever a machine (this may be a buffer) M switches from (s, I) to (s', O), we add a 
step (nameM, -s, I, s' , O) to the run r with the following two restrictions. First, we cut 
each input according to the respective length function, i.e., we replace I by /' := 
Secondly, we do not add the step to the run Zf /' = (e, . . . , e), i.e., if nothing happens 
in reality. This gives a random variable run ^ for each tuple ini G ^ m e C initial 
states, and similarly for l-step prefixes rung 

The view of a subset M G C of machines in a run r is the subsequence of r 
consisting of those steps where a machine of M switches. This gives a random vari- 
able view g for each tuple ini of initial states, and similarly for l-step prefixes 
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view Q i(M) of the view. For a singleton M = {H} we write view ^ mi(H) for 

2.2 Security-Specific System Model 

We now define specific collections for security purposes. We start with the definition of 
structures. Intuitively, these are the machines that execute a security protocol. They have 
a distinguished set of service ports. This is a subset of the free ports where, intuitively, a 
certain service is guaranteed, while remaining free ports are meant only for the adversary. 
Typical examples of inputs at service ports are “send message m to participant id” for a 
message transmission system or “pay amount x to participant id” for a payment system, 
while typical non-service ports are those of insecure network connections in a real 
system. For cryptographic purposes, the initial state of all machines in a structure is a 
security parameter k in unary representation. 

Definition 3. (Structures and Service Ports) A structure is a pair struc = (M, S) where 
M is a collection of simple machines (i.e., with only normal in- and out-ports and clock 
out-ports) with {!}* C IniM for all M G M, and S C free([M]). The set S is called 
service ports. O 

Forbidden ports for users of a structure are those that clash with port names of given 
machines and those that would link the user to a non-service port. 

Definition 4. (Forbidden Ports) For a structure (M, S) let Sj^ := free([M]) \ S. We 
call forb(M, S) := ports(M) U 5^ the forbidden ports. O 

A system is a set of structures. The idea behind systems is that there may be different 
actual structures depending on the set of actually malicious participants. 

Definition 5. (Systems) A system Sys is a set of structures. O 

A structure can be complemented to a configuration by adding a user machine and 
an adversary machine. The user is restricted to connecting to the service ports. The 
adversary closes the collection, i.e., it connects to the remaining service ports, the other 
free ports of the collection, and the free ports of the user. Thus, user and adversary 
can interact, e.g., for modeling active attacks. 

Definition 6. (Configurations) A configuration of a structure (M, S) is a tuple conf = 
(M, 5, H, A) where 

— H A a machine called user with ports(H) D forb(M, S) = % and {!}* C Iniu, 

— A is a machine called adversary with {!}* C Ini/^, 

— and the completion C := [M U {H, A}] is a closed collection. 

The set of configurations of(M, S) is written Conf(M, S). The notation Conf() is lifted 
to sets of structures, i.e., systems. We write conf .M for con/[l] (component selection 
function) and similarly conf .S, conf.H, and conf .A, and conf .struc for con/[l,2]. O 
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2.3 Parametrized Systems 

In many typical systems, the structures only depend on the trust model, but not on the 
security parameter k. In a parametrized system this is different. Hence such a system 
is partitioned into different subsystems for different values of k. “Normal” systems can 
naturally be identified with parametrized systems where all subsystems are equal. 

Definition 7. (Parametrized Systems) A parametrized system is a system Sys together 
with a partitioning {Sysi^)k(£n> i-e., the elements Sys j. are pairwise disjoint systems with 
Sys = SySf.. In slight abuse of notation we also call the sequence of partitions 

Sys, and if the system is called Sys, the notation Sysj. always refers to the k-th element 
in the partition sequence. 

A bounding function for a parametrized system is a function P such that for all 
k G N and (M , S) G Sys/. we have \M\ < P{k) and the runtime of every M G M on 
initial input is bounded by P{k) in the sense of circuit complexity (more precisely, 
circuit size). A parametrized system is polynomial-time if it has a polynomial bounding 
function. O 

Circuit complexity, i.e., non-uniform complexity, is natural for this definition because one 
can consider every machine M , used only for security parameter A:, as a separate circuit. As 
we want to bound the overall runtime of a machine with respect to its initial input length, 
just as in the uniform case, this can be defined by one normal non-cyclic circuit for 
each machine. Meaningful uniform complexity for such a definition requires a universal 
machine that simulates all these structures, and a generation algorithm for structures. 
However, our results are reductions with concrete security (as first introduced as a general 
concept with special notation in [8]), and usable for a wide range of complexity measures. 
In those reductions we actually work with Turing complexity because it is defined in full 
detail for our interacting machines. 

A parametrized system considers the potentially used subsystems as potentially avail- 
able from the start. This is also implicitly the case in [10] because although a subsystem 
is said to be generated there, it springs up magically in distributed locations by this 
operation. This means that all the connections must be assumed to be predefined. A truly 
dynamic system would need to distribute port or machine names of new machines, like 
the TT-calculus does. We do not see any specific reason while our theorem should not 
hold for this case but it would require a rigorous definition first. 

We now define user and adversary of a parametrized system. 

Definition 8. (User and Adversary of a Parametrized System) A user and an adversary 
of a parametrized system Sys are families struc) stmc^Sys, i^struc) struck Sys such that 
G Conf{Sys)forall{M,S) G Sys. O 

To reason about the complexity of users and adversaries, or more generally families of 
machines, we define the parametrized complexity. 

Definition 9. (Parametrized Complexity) Let X = be a partitioned index set 

(with the same conventions as for systems) and let A = (Ax)xex be a family of machines 
with {1}* C IniA,c every x G AT. Vke say that A is of complexity f : N — >■ N if for all 
X G Xk, the runtime of A^ on initial input is bounded by t{k) in the sense of circuit 
complexity. We sometimes write t^for “the” complexity of A. <> 
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Fig. 2. Example of simulatability. The view of H is compared. 



2.4 Defining Security with Simulatability 

Reactive simulatability essentially means that whatever might happen to an honest user 
in a real system Sysi can also happen in an ideal system Sys2- More precisely, for every 
configuration confi of Sysi, there exists a configuration con /2 ^ys2 with the same 
user yielding indistinguishable views for this user. A typical situation is illustrated in 
Figure 2. 

However, we do not want to compare a structure of Sys ^ with arbitrary structures of 
Sys2, but only with certain suitable ones. What suitable means in a concrete situation 
can be defined by a mapping / from Sys^ to Sys2- The mapping / is called valid if it 
maps structures with the same service ports, so that the same user can connect. 

Definition 10. (Valid Mappings) A valid mapping between two systems Sys^ and Sys2 
is a function f : Sysi — >■ Sys2 with (M2, 52) = f{{Mi, Si)) ^ Si = S2- We call 
/((Ml, ^i)) the corresponding structure of {Mi, Si). If the systems are parametrized, 
we also require f {Sys i f) C Sys2^kfi"' A: G N. O 

A technical problem for reactive simulatability is that a correct user of a structure from 
Sys I might have forbidden ports in the corresponding structure. Configurations where 
this does not happen are called suitable', we restrict the simulatability definition to those. 
We omit a rigorous definition for brevity. For a valid mapping /: Sysi Sys 2 , let 
ConffSysi) be the set of suitable configurations. 

We present the definition of indistinguishability for two families of random vari- 
ables with a common partitioned index set and with versions for concrete security, 
following [34,7,12]. 

Definition 11. (Indistinguishability) Let two families {vsirf^^^x tmd {var'f,^^x of dis- 
crete probability distributions (random variables) 

- They are called perfectly indistinguishable iffyar^ = var',^ for all x G X. 

- They are called statistically (5-indistinguishable/or a/MMchow <5: N — >■ M>o iff the 

statistical distance Z\stat(var2,, var^) := | |P''(vaG = d) ~ Pr(var(, = d)| 

is at most S{k) for all k and all x G X^. 

- An algorithm Dis is called a {t, h)-distinguisher /or vara, and var^ /or t G N, (5 G 
K>o, and x G Xk iff its complexity is at most t and 



jDis |Pr(Dis(l^var,) = 1) - Pr(Dis(l^ var^) = 1)| > h. 
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- The distributions are called polynomially indistinguishable ijffor all polynomials 
t and all distinguishers (DiSa;)a;gj(: with complexity t in their first parameter, there 
exists a negligible function S such that 6 ^'^ < S(k) for all k and all x G Xk- ^ 

We write “«y” for indistinguishability with y = perf, S, or poly, respectively. We write 
if we want to treat all cases together, and we often write “=” for “«perf”- 
We later need that indistinguishability of families of random variables implies indis- 
tinguishability of functions of them, e.g., of “parts” of the random variables. 

Lemma 1. (Indistinguishability of Derived Distributions) Let var, var' be families of 
probability distributions with partitioned index set X and a common family of domains 
D, and let f = {4>x)xex be a family of functions fix on Dx (to strings, but encoding 
domains as strings is not made explicit). Then the following holds: 

- var var' </)(var) (/>(var') ify is perf, or a function 6. 

- Every (t, 5)-distinguisher Dis^ for 4>(y/arx) and </>(var^) gives rise to a (f', S)- 
distinguisher Dis/or varx and var^ with t' = t + t^(b{k)), where N — >■ N 
denotes the complexity of f, and 6: N — >■ N bounds the length of the random vari- 
ables, i.e., |w| < b{k)for all v G Dx and x G X^. 

- var Wpoiy var' f(var) «poiy c/>(var') if the random variables are of polynomial 

length, and f is of polynomial complexity. □ 

This is clear for the perfect case, and can be easily shown by computations on statistical 
distances for the statistical case. For concrete complexity and the computational case, 
the distinguisher family Dis for the original distributions is defined by DiSa;(l^, v) := 
Dis 0 _a;(l^, fiy)) for all k and x G Xk, and for v of length at most b{k). 

We are now ready to dehne reactive simulatability for parametrized systems. We re- 
quire that there exists an extension fc of the valid structure mapping / to a configuration 
mapping that leaves the user unchanged, i.e., we skolemize the existence of correspond- 
ing adversaries in Figure 2. We then consider the families of user views view conf ^ ( H ) and 
view /c(con/i)(H) where all machines have initial input 1 ^ for the security parameter /c to 
which this configuration belongs. Each of these two families contains one well-defined 
probability distribution for each configuration conf Overall these are two families of 
distributions with the partitioned index set Qor\(^ {Sysi) = UfceN Conf^(5'yS]^ f). Sim- 
ilarly, we obtain two families view conf and mewy^(con/i),i(H) for Lstep prefixes 
of user views. 

Definition 12. (Reactive Simulatability) Let parametrized systems Sysi and Sys 2 with 
a valid mapping f be given. For reactive simulatability, we require that there exists 
a function fc: Conf ^ (^Sys^) Conf(S'j/S 2 ) with fQ{conf fj.struc = f{confi.struc) 

and fc{confi).f\ = conf i.H for all conf ^ G Conf^(Sysi), and with the following 
properties. We say that fc is a r-mapping for a structure struci and a function r : N — >■ N 
if the complexity tfc(conf^).A is bounded by rfconf^.A) for all conf ^ G Conf (struci). 
The entire fc is a r-mapping for a function r: — >■ N if for all conf i G Conf^(Sysi) 

we have f/c(con/i).A < T{k,tconfJ- 

We say that Sysi Sys 2 , spoken “j/'-at least as secure as”, under the following 
conditions for different cases of y and y' , where we abbreviate H := conf^.H: 
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a) y = perf and y' = “perfectly” iff view conf and view fc(conf^)i^) are perfectly 

indistinguishable for every confi G Conf ^ (Sysf). 

b) y = S andy' = “S -statistically” for a function 5: — >■ K>o iff for every confi G 

Conf^ {Sys I j,) and every I G N we have view conf^,i{^) ^s{k,i) view f^(^conf^),i{^)- 

c) Concrete security: An algorithm Dis is called a (f, i5)-distinguisher /or confi G 
Confi^{SySi jf) and fc{confi) where f G N and 5 G K>o iff its complexity is at 
most t and <5con/i — ^ ’^here 



Konf^ ■= |Pr(Dis(l ,meWcon/i(H)) = 1) - Pr(Dis(l , mew/^(eo„/^)(H)) = 1)|. 
e) y = poly and y' = “polynomially” iff for all users H and adversary A of poly- 



nomial complexity, the views {vieWf^y^ g 









and 



S are polynomially indistinguish- 

able and fc is a P -mapping for a polynomial P. 



Universal simulatability means that fc{confi).A (i.e., A 2 in Figure 2) for confi = 
(Ml, S, H, Ai) only depends on Mi, S, and Ai. We write instead of>(fv if we 

want to emphasize this case. O 

Where the difference between the types of security is irrelevant, we only write >4c^ ^nd 
we omit the indices / and sec if they are clear from the context. 

An essential ingredient in the composition theorem and other uses of the model is a 
notion of combining several machines into one, and a lemma that this makes no essential 
difference in views. The combination is defined in a canonical way by considering a 
combined state space and letting each transition function operate on its respective part. 
We omit details for brevity. The combination of a set M of machines is written co m b ( M ) 
and we sometimes write com b( Ml, .. . , Mj) for comb({Mi, . . . ,Mj}). 

Lemma 2. (Machine Combination) Let C be a collection without buffers, and D C C. 
The view of every set of original machines in (C \ D) U {comb(U)} is the same as in 
C. This includes the view of the submachines in comb(£l), which is well-defined given 
C and D. The Turing complexity o/comb(£l) is the sum of the complexities of the 
machines in comb(£l). □ 

We can now add the notion of blackbox simulatability to Definition 12. Here A 2 is given 
as the combination of a hxed “simulator” Sim and a machine A'l that is identical to Ai 
up to port renaming. 

Definition 13. (Blackbox Simulatability) With the notation of Definition 12, blackbox 
simulatability means that we have functions fs\m from SySi to machines (the simula- 
tors for the structures) and fa from Sysi to port renaming functions such that for all 
confi = (Mi,S',H,Ai) G Conf'^(S'ysi) we have fc(confi) = (M2,S',H,A2) with 
(M2, S') = /((Mi,S)) and A2 = comb(Sim, A'l) with Sim := /sim((Mi, Si)) and 
A'l := /ct((Mi, Si))(Ai). For computational security, we require that S\m is polynomial- 
time, i.e., that the parametrized complexity of {fs\m{{Mi, S)))^y;i^ s)<zSys^ is polynomi- 
ally bounded. We write instead of >sec if we want to emphasize this case (with the 

respective superscripts). O 
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2.5 Composition 

When composing several systems, one typically does not want to compose every structure 
of one system with every structure of the others, but only with certain matching ones. 
For instance, if the individual machines of Sys 2 are implemented on the same physical 
devices as those of Sys^, as usual in a layered distributed system, we only compose 
structures corresponding to the same set of corrupted physical devices. However, this is 
not the only conceivable situation. Hence we do not define a composition operator that 
produces one specihc composition, but a set of possible compositions. 

Definition 14. (Composability and Composition of Structures) We call structures 
. . . ,{MmSn) composable if ports(M^i) fl forb(M^,5'j) = 0 and Si fl 
free([Mj]) = Sj fl free([Mi]) for all i jf We then define their composition 
as (Ml, 5'i)|| . . . ||(M„, 5'n) := (M,S) with M := M\ U ... U Mn and S := 
(5'iU...U5'„)nfree([M]). O 

We now dehne the composition of variably many systems, i.e., there is a potentially 
infinite supply of systems from which a finite number P{k) is chosen for composition 
for each security parameter k. 

Definition 15. (Parametrized Composition of Systems) Let a sequence Sysseq = 
be given where each Sys^^^ is a parametrized system, and let P: N — >■ N 
be a function. Then a P-sized composition of Sysseq is a parametrized system 
Sys* where for all fc G N, every structure (M*,S*) € Sys^. has a unique rep- 
resentation {M*,S*) = (Ml, 5'i)|| . . . ||(Mp(fe), with composable structures 

{Mi, Si) G Sys^^'’ for i = 1, . . . , P{k).We call {Mi, Sf) the restriction of {M* ,S*) 
to Sys^^^ and write {Mi, Si) = {M* , S*) |" gy^n). O 

If the systems Sys have a joint bounding function Q, then P • Q is a bounding function 

for Sys* . In particular, if P and Q are polynomials, then Sys* is polynomial-time. 

3 General Composition Theorem for Blackbox Simulatability 

In this section, we show that reactive blackbox simulatability is consistent with the 
composition of a parametrized number of systems, in particular polynomially many in 
the computational case. The basic idea is the following: Assume that we have proven 
that a potentially inhnite supply of systems Sys^'"'^ are as secure as systems Sys'^"‘'^ in the 
sense of black-box simulatability. Now we want to use Sys^'^'^ as a secure replacement 
for Sys'^'’\ i.e., as an implementation of the ideal system The following theorem 

shows that such modular proofs are possible. The situation is shown in the upper part of 
Figure 3. 

Additional conditions in the theorem are that all corresponding structures are com- 
posable and that, for the polynomial case, the security of the system is in certain sense 
uniform. 

^ The first condition makes one structure a valid user of another. The second one excludes cases 
wherep G free([Mi]) nfree([Mj]) (e.g., a clock port for a connection between these structures) 
and p € Si but p ^ Sj. 
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Theorem 1. (Secure Parametrized Composition, Blackbox Case) Let Sysseq = 
and Sysseq' = {Sys'^''^)i^^ be sequences of parametrized systems. Let 
f = (/W)ieN be a sequence of valid mappings f ^'^ : Sys^'^ — >■ Sys'^'\ and let 
Sys(^) Sys'^'^ for all i G N. 

Let P: N -G N, and let Sys"^ and Sys* denote the P -sized compositions of 
Sysseq and Sysseq' , respectively. Assume that the following structural conditions hold 
for all k G'H and every structure (M"^, S) G Sysf : Let its restrictions be (Mi, Si) := 

, S)\ gy,.(i) and the corresponding structures (Ml , Si) := f^'\(Mi, Si)) for all 
i < P(k). Then the composition 

f*((M*,S)) ■.= (M[,Si)\\ ••• 

exists and lies in Sys\. Furthermore, (Mi, Sf) and (M', Sj) must be composable for 
j i, and ports(M/) n S^ = ports(Mi) n 5° for all j i. Then we have 

Sys* Sys* 

a) with y = perf ifyi = perf for all i G N. 

b) with y = P(k) ■ 5(k, b(k)) if all yi are bounded by a function <5 : — >■ K>o, and 

where b(k) is the sum of the complexity of the systems, the user, and the simulators. 

c) With concrete complexity: For every conf* G Conf-^ (Sys*), a(t,6)-distinguisher 
for conf* and fc(conf*) gives rise to a (t' ,5')-distinguisher for conf^'^ and 
fc(conf^'^) for a conf^'^ G Conf (5't/s^,*^) with 5' = -p^ andt' = t-\-b'(k), where 
b'(k) is a polynomial independent oft^^^f# (Details are given in the proof. ) 

d) with y = poly ifyi = po\y for all z G N and under the following conditions: The 
function P is polynomially bounded, and the systems Sys^''^ have a joint bounding 
polynomial Q. The complexities of the simulator families induced by the mappings 

bounded by a joint polynomial Qsim- The distinguishing probabilities of 
the system pairs (Sys^'\ Sys'^''^) are uniformly bounded, i.e., for all polynomials t 
there exists a negligible function 6 such that for all distinguishers Dis, all z, fc G N, 
and all conf = (Mi, Si, H, A) G Conf-^ ) we have (fpis < t(k) A < 

t(k) AIa < t(k)) S^olif — (f^call Definition 12d). □ 

The first statement to be proved is extracted into the following lemma. 

Lemma 3. Under the conditions of Theorem 1, the mapping f* is a valid mapping 
between Sys* and Sys*. □ 

The proof is straightforward as in [30], but heavy on notation. Hence we omit it in this 
short version. Recall that blackbox simulatability was defined by a function that selects 
one fixed simulator for each structure (Definition 13). 

Definition 16. (Simulator and Corresponding Configurations) Under the conditions 

(z) (z) 

of Theorem 1 and for all z G N, let and f^ be the simulator and renaming 
functions from which ' is composed by blackbox simulatability. We compose them 
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conf**^ conf" 




conjy^'^ conf. 





Fig. 3. Configurations in the composition theorem for blackbox simulatability. 

into functions and ff on Sys"^ as follows: Given fc G N and (M"^, S) G Sysf', 

let Sirtii := fs^,l^{{Mi, Sf)) for all i < P{k), and let 

■= comb(Simi, . . . , Simp(fc)); 

further let := o • • • o f^^\ Let f^ be constructed from f^^, and 

by the equations in Definition 13 (blackbox simulatability). O 

The complexity fsim of the simulator is fsim(fc) = fsimi(fc) by Lemma 2. In the 

polynomial case, there exists a polynomial Qsim such that fsimi < <5sim for all i, hence 
fsim(fc) is polynomially hounded by P{k) ■ Qs\m{k). 

We also omit the technical proof that indeed f^ : Conf-^ [Sys"^) — ?• Conf (^t/s*) in 
Definition 16. It is nevertheless interesting that these proof parts that verify the compati- 
bility of channels and the difference of service ports and adversary ports in compositions 
make up the major part of a rigorous proof, while the cryptographic aspects are shorter 
and more standard. 

Now we can concentrate on proving that the simulator simulates correctly. The 
proof consists of a hybrid argument as first used in [15], i.e., we construct intermediate 
configurations that differ only in the machines of one system. 

Proof (Theorem 7 j. Let a configuration con/^ = G Conf'^*(5't/sf') be 

given and conf* := fQ(conf^) the corresponding configuration according to Defini- 
tion 16. Let the sub-structures {Mi, Sf) and {Mf 5'), the simulators Simp and functions 
ff with various indices be defined as in the formulation of the theorem and Definition 16. 
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Furthermore, let (M*, S) := S)) and Sim := /stn((-^^; Then we have 

conf* = (M*, S', H, comb(Sim, (A))); recall that is just a port renaming; hence 
Figure 3 simplihes it to A. 

The outline of the hybrid argument is as follows. 

1. We define hybrid configurations conf of St/s and con/f^'^ of St/s^^*^ for t = 

1 , . . . , P{k). In conf the hrst i — 1 real structures have already been replaced with 

their ideal counterparts, while in conf'f'''° also the i-th structure has been replaced. 
To make these conhgurations correct conhgurations of the respective systems, all 
other machines are grouped into an overall hybrid user as shown at the bottom 
of Figure 3 for z = 2 and P(ff) = 3. 

2. We show that these are correct and corresponding conhgurations with respect to the 
given blackbox simulatability between Sz/s^*^ and Sz/s^*^ . 

3. We show that the views of H in conf'^^^ and conf^^^ areequalforz = 1, . . . , P{k) — 
1. Moreover, we show that the views of H are equal in conf^ and conf\^^, and 
in co7z/p^^^ and conf* . This gives a kind of indistinguishability chain (for one 
conhguration) 

« view ,hyb{H) « • • • « view .,hyb (H) « view conf* 

■'I •' P{k) 

4. We show that this implies indistinguishability between hrst and last elements. 

We now explain these steps in more detail. 

Step 1: For z = 1, . . . , P{k), let the machine collection for the z-th hybrid user be Hi := 
{H} U Ul<J<^ U {Simj I 1 < J < z} U Ui<y<p(fe) and let := comb(if*). 

Furthermore let A^ := o • • • o f^\/K) and A' := f^\Ai). Then we dehne the 

hybrid configurations as 

conti>'^:= (M„^„H,'>'^A,); 

conf'i'''" := (M^/, 5*, H^^''^comb(Simi, A')). 

For the computational case, we have to show that the family of is polynomial-time. 
This holds since f|^hyb < fn + fsim + by Lemma 2, where each addend is 

polynomially bounded by assumption. 

Step 2: We have to show that conf^f^^ G Conf ^'{SySi) and conf'i''^ G Conf (^z/s'), i.e., 
essentially that the hybrid users do not use non-service ports. In this short version, we 
omit this proof. Then the dehnition of conf'f^'° and conf'i^'° immediately implies 

eonf'^'^ = f^{conf^^), ( 1 ) 

i.e., these are indistinguishable conhgurations under the given blackbox simulatability 
between ^z/s*-*^ and Sy s' 
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Step 3: The configurations conf'l''^'° and consist of the same collection of 

machines Ci := Hi U {M/, Sim^, A'}. Combining them in different ways does not alter 
the view of H by Lemma 2. Thus we have 

( 2 ) 

for alH G {1, • ■ • , P{k)}, and similarly 

view = view ^ view .hyb (H) = meWcon/*(H). (3) 

■'1 ■' P{k) 



Step 4: We now distingnish the type of the given simulatability relations Sys 

Sys'^^. 



,Vi 



For perfect simulatability, Equation (1) gives us view = view (H) 
for all i. With Equations (2) and (3) this yields view = view conf*{^)- This 
result for an arbitrary fixed confignration conf^ implies equality of all families of such 
views. 

For statistical simulatability, let Sys^'''’ be hi-statistically at least as secure as Sys'^^'^ . 
Let I G N. For prefixes of length I and v ranging over the potential views of this length, 
we abbreviate qf := Pr{view l{\^) = v), and g* := Pr(mew; con/*, ;(H) = v), 
and Qi^y := Pr(mew;^^„^hyb_;(H) = v) and g' „ := Pr(mew^_^„^rtyb ,(H) = u) for all i. 

For all potential views v, we have g' „ = g*+i,c and qf = qi^y and q'pf^f,^ y = ql by 
Eqnations (2) and (3). The desired statistical distance is 



Sstat{conf*) := 



< 



1 

2 

1 

2 

1 

2 



V 

\Q1,v — 42, V + 42, V — 43,v + f 4p(k),v ~ 4'p(k),v\ 

V 

— <72, «| + |<Z2,-u — 43,v\ H + \4P(k),v ~ 4p(k),v\) 



P(k) 

= XI -%v\ 

■i— 1 V 

P(k) 

= Z\stat(me«;^^„^byb_,(H),me«;^„„^,byb ,(H)). 

i=l 

With Lemma 1 this gives 



p(k) 

^stat {conf*) < Y, Atat(w*ew 



conff\l 



(^hyb) 



View 



r/hyb ; 

conj ,/ 



p{k) 

fHf''^))<Y^(k,k), 



i=l 



where the li are sufficiently large numbers to ensure that the Lstep prefix of the view 
of H in conf'f^'° is a subsequence of the /^-step prefix of the view of A general 
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bound is the complexity of which is bounded by b \= + fjg# + + ^Sim- 

This implies Sstat(conf^) < P{k) ■ S{k, b{k)) as desired. 

For concrete complexity and for a (f, Z\'^'®)-distinguisher Dis, we have by definition 

< |Pr(Dis(l'", mew^o„^#(H)) = 1) - Pr(Dis(l'", mewcon/* (H)) = 1)|. 

We abbreviate := Pr(Dis(l^, (H)) = 1) and q* Pr(Dis(l*, 

mew con/* (H)) = l),andgi := Pr(Dis(l'=, mew^^„^hyb(H)) = 1) and q[ Pr(Dis(l'", 
view = 1) for all i, and At := \qi — q[\. Now Equations (2) and (3) yield 

A°'^ = \q* - q*\ = \qi - q2 + q2 - qa + qa f qp(k) ~ q'p(k)\ 

< l<zi ~ 92 I + l<Z2 — < 73 ! + — f \qp(k) — q'p{k) \ = 2\i + z\2 + • • ■ + ^p(k)- 

This implies that there exists some i with Ai > . 

We can now consider Dis as a (/, Z\i)-distinguisher Dis^*^ of a function 4> of views of 

the actual user of the i-th hybrid systems. Here </)is defined by (j){v) := i-e-> the 

restriction to the view of H . The complexity of (p is linear. Hence Lemma 1 implies that 
there exists a (ti, Z\i)-distinguisher Dis*-*^ for mew^^^^hyb and mew^^„^,hyb(H^^^'') 

with ti = t + b'{k), where b'{k) bounds the length of the views of The complexity 
/|^hyb of is bounded by & = /h + fjg# + f//. + fsim, and above we showed isim < 
P • Qsim - The length of runs and thus views in our current representation is bounded by 
the square of this complexity (but this might be improvable by tighter encoding). This 
yields the desired polynomial bound h' {k) independent of the adversary complexity. 

For polynomial slmulatability, let H, A be a user and an adversary for Sys"^ of 
complexity and /a, and let / be a polynomial and Dis a distinguisher family of 
complexity t. Then the functions f^hyb, ti, and tf^^ = /a are polynomials. By assumption, 
there exists a negligible function 6 that uniformly bounds the advantage of distinguishers 
for the given system pairs for the complexity function max(/i, f^hyb, / aJ- Now let a 

configuration conf"^ = (M"^, 5”, S)) given. The concrete security 

considerations and Equation (1) imply Ai = iJ'^'^yhyb < S{k), and therefore ^con/# ^ 
P{k) ■ 6 (k) is negligible. This proves the desired polynomial indistinguishability of the 
families of user views over Sys"^ and Sys*. m 

4 From Black-Box to Universal Simulatability 

We now show a relation between universal simulatability and black-box simulatability. 
It allows us to apply our general composition theorem to universal simulatability under 
reasonable assumptions, but it also is of independent interest. More precisely, we show 
that universal simulatability for two parametrized systems Sys i and Sys 2 is equivalent to 
black-box simulatability if Sys i fulfills the following structural requirements: Whenever 
a clock-out port of a structure (Mi, 5'i) G Sysi is contained in then so is either the 
corresponding input or output port. This means that the adversary is not allowed to 
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schedule messages of a connection where it is neither the sender nor the recipient. This 
condition is naturally fulfilled for insecure channels, since the adversary is inserted 
between the connections of two machines of the system. 

Theorem 2. (Relating Black-box and Universal Simulatability) Let Sys-^, Sys2 be two 
parametrized systems with a valid mapping f, where for every structure {Mi, Si) G 
Sysi, we have p^! G (p? G V p! G 5 f). Then Sysi Sys2 iff 

Sysi Sys2 for y = perf or a function S and also for y = poly if Sysi is 

polynomial-time. 

For concrete security, if >s 2 c^ given with a t - mapping fc, then we obtain 

with simulator complexity r{tsysj^ ). tind a {t,S) -distinguisher for the views in the black- 
box case gives rise to a {t' , 6 ) -distinguisher for the views in the universal case where t' 
is the sum oft and the view length of H and A. □ 

Proof The left-to-right direction is clear by definition. The difficult direction is to show 
that universal simulatability implies black-box simulatability. Due to lack of space, we 
can only present a short sketch. This direction essentially consists of four steps: 

1 . Let a configuration conf i = (Mi, S , H, Ai) of the sub-system Sysi j. be given. We 
first derive another configuration conf™' = (Mi, S, A() of Sysi as follows: 
We insert a machine TSp_f,,fc, called transparent scheduler, into the connections 
between Ai and the simple ports in Si. It forwards messages between machines 
of the structure and the adversary. Its parameters P and b correspond to the ports 
that the transparent scheduler connects to and a bound on its runtime, which is the 
joint runtime of the machines in Mi. This machine only depends on Mi, S, and k. 
The new user is the combination H""' := comb(H, Ai), and the new adversary is 
A( := TSp fe. We show that the views of both H and Ai are identical in the two 
configurations. 

2 . We now show that conff" G Conf^{Sysi) and apply the precondition Sysi >™c^ 
Sys2. This yields an indistinguishable configuration conf'^' of Sys2 with a new 
adversary A2. By the definition of universal simulatability, A2 only depends on Mi, 
S and on A'^ = TSp,b^k- Since TSp^b.k only depends on Mi and S, the adversary 
A2 also only depends on Mi and S. 

3 . We obtain a configuration conf 2 with the original user and a simulator from con/2"' 
by reversing the combination of H and Ai into H^"', and by defining fhe simulator 
as Sim := A2. We show that this does not affect the view of H. 

4 . Combining several equalities between views of H in different configurations and 
one indistinguishability gives the same class of indistinguishability. 

Summarized statements follow from this treatment per configuration, i.e., with concrete 
security (although details are omitted here), as usual. ■ 
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Abstract. In a paper from EuroGrypt’99, Damgard, Kilian and Salvail 
show various positive and negative results on constructing Bit Gom- 
mitment (BG) and Oblivious Transfer (OT) from Unfair Noisy Ghan- 
nels (UNG), i.e., binary symmetric channels where the error rate is only 
known to be in a certain interval [ 7 . .5] and can be chosen adversarily. 
They also introduce a related primitive called PassiveU NC . We prove 
in this paper that any OT protocol that can be constructed based on 
a PassiveU NC and is secure against a passive adversary can be trans- 
formed using a generic “compiler” into an OT protocol based on a 17 AG 
which is secure against an active adversary. Apart from making positive 
results easier to prove in general, this also allows correcting a problem 
in the EuroGrypt’99 paper: There, a positive result was claimed on con- 
structing from UNG an OT that is secure against active cheating. We 
point out that the proof sketch given for this was incomplete, and we 
show that a correct proof of a much stronger result follows from our gen- 
eral compilation result and a new technique for transforming between 
weaker versions of OT with different parameters. 



1 Introduction 

Bit Commitment (BC) and Oblivious Transfer (OT) are the most fundamen- 
tal primitives in cryptographic protocol design [8,1,3,9,10]. But in a scenario 
with only two players, neither primitive can be implemented with unconditional 
security based only on standard, error free communication. Even quantum com- 
munication does not help [14,13]. However, Crepeau and Kilian have shown that 
both primitives can be implemented based on a binary symmetric channel (BSC) 
[5] . A BSC is a channel for transmitting single bits, and for every bit transmit- 
ted, the channel decides with some fixed probability to flip the bit before it is 
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given to the receiver. Unfortunately, results based on BSCs do not give realistic 
security guarantees. The reason for this is that one must expect that a cheating 
player will try to influence the channel and have this work to his/her advantage, 
for instance by lowering the noise rate in order to learn more than expected 
about what the other party sent or received. Note that one can always hide the 
fact that the channel was made less noisy by pretending to have sent (received) 
a more noisy signal than the one actually sent (received). Moreover, even in the 
absence of such attacks, it is hardly realistic to assume that the noise rate is 
known exactly. 

In [ 7 ], Damgard, Kilian and Salvail introduce the Unfair Noisy Channel 
(UNC) as a model of a noisy channel that is more realistic in cryptographic 
applications than a BSC. A (7, i 5 )-UNC is basically a BSC, where, however, 
the noise rate is only known to be in a certain interval [7..(5], and where if the 
sender or receiver has been corrupted by an adversary, the adversary can set the 
noise rate to any desired value in the interval. So a UNC models active cheating 
directed against the way a physical channel works in order to manipulate the 
error rate. If the channel is a radio link, for instance, the adversary could invest 
in more sophisticated receiving equipment without telling the other party and 
thereby lowering the noise rate from his point of view. However, it may still be 
realistic to assume that he cannot remove all noise from the channel, so such a 
case can be captured in the UNC model. 

Another primitive was also introduced, namely a (7, < 5 )-PassiveUNC. This is a 
BSC with error rate < 5 , but where the adversary gets for every transmission some 
side information 2 with the property that given z, the bit received/sent by the 
other (honest) player can be guessed with error probability 7. In other words, 
knowledge of z brings the error rate down to 7 from the adversary’s point of 
view. This models a passive, i.e., “honest but curious” adversary, who measures 
somewhere “in the middle” of the channel, and then later uses the information 
obtained to compute data he should not have access to. 

In [ 7 ], it was proved that Bit Commitment (BC) can be implemented with 
unconditional security based on a (7,<5)-UNC if and only if the interval [7-.(5] is 
not too wide, more precisely, if and only if (5 < 27(1 — 7). It was also shown that 
one cannot base Oblivious Transfer (OT) on a (7, ( 5 )-UNC (nor on a PassiveUNC) 
if (5 > 27(1 — 7). On the positive side, it was shown that if 7 and <5 satisfy a 
rather complex condition (stronger than 6 < 27(1 — 7)), then OT (with passive 
security) can be based on a (7, ( 5 )-PassiveUNC. 

Finally, it was claimed that this same result also holds when using a (7, S)- 
UNC, and with security against active cheating. This was based on a standard 
idea where the players use bit commitments to commit to all private data, includ- 
ing what is sent and received on the channel, and then use generic zero-knowledge 
techniques to demonstrate that they follow the protocol. This technique indeed 
works assuming that we can force a cheating player to commit to the bits he 
actually sends or receives over the channel (except with arbitrarily small prob- 
ability). This assumption is true for a BSC: for instance the sender S can be 
instructed to commit to bits bi,i = l..n, and send them over the BSC with 
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noise rate, say, S. Having received bits bi,i = l..n, the receiver R then asks to 
have all committed bits opened except one, say bj. If S was honest, we expect 
that a fraction of about 6 of the opened bits will be different from the received 
bits 6i,z = l..n. So i? is instructed to reject if the fraction of disagreement is 
significantly larger than S. If R does not reject, this means intuitively that he 
believes that the committed bit bj really is the bit that was sent over the channel 
and resulted in R receiving bj. This is justified since it follows from standard 
probability theory that the probability of having bj different from the j’th bit 
actually sent and still have the receiver accept, can be made arbitrarily small by 
increasing n. 

Unfortunately, no such technique can work for a UNC. We show below that 
for any protocol that aims to implement a “committed UNC”, the probability 
of error is at least a constant, namely (<5 — 7)/(l — This problem was not 
taken care of in [7]. 

In this paper, we show a different (and correct) way to apply the idea of 
using commitments and zero-knowledge proofs to enforce correct behavior. This 
turns out to lead to a result that is much more general than what was claimed 
in [7] and which can be informally stated as follows: Any two-party protocol 
that, based on a (7, <5)-PassiveUNC, implements an OT secure against passive 
cheating, can be transformed using a generic “compiler” into a protocol that 
uses a (7, (5)-UNC for communication and builds an OT secure against active 
cheating. 

The opposite direction of this result is also true, and trivial to prove. So this 
implies that, to prove positive or negative results, on building OT from UNC 
or PassiveUNC, we can now concentrate only on the case of PassiveUNC and 
passive cheating - which is clearly much simpler. It also immediately implies a 
complete proof of the claim made in [7]. 

In the final part of the paper we exploit this, and a new technique for trans- 
forming between the weaker versions of OT, in order to prove a stronger positive 
OT result than the one claimed in [7]. In other words, there is now a much larger 
range of (7, (j)-values for which we can implement OT based on a (7, <5)-UNC. 
For instance we can now show that robust OT follows from a (7, (5)-UNC with 
any value of 6 between 0 and 1/2, provided 7 is close enough to 5. 

Due to space limitations, some proofs could not be included in this proceed- 
ings version of the paper. They can be found in the full paper [6]. 

2 Models of Communication and Adversaries 

Our protocols throughout the paper take place in a model with two players 
A, B connected by an error free channel and also by a noisy channel with some 
particular characteristic, such as a UNC or a PassiveUNC. We assume a bounded 
delay in message delivery for all channels such that failure to send a message 
can be detected. 

In order to specify formally the channels and reductions we study, we will use 
the universally composable framework of Canetti [2]. In this framework, players 
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in a protocol can be given access to one or more ideal functionalities. Such a 
functionality can be thought of as a trusted party T with whom every player 
can communicate privately. There is a number of commands specified that T will 
execute. Every player can send a command to T, and T will faithfully carry out 
the command according to its specification, and may send results back to (some 
of) the players. Many cryptographic constructions - including ours - actually 
aim at building a protocol for the players only (without a trusted party) that 
does “the same thing” as some ideal functionality T, even if an adversary can 
corrupt some of the players and make them behave as he likes. The framework 
provides a precise definition of what it means that a protocol tt in this way 
securely implements T. If this definition is satisfied, then any protocol that is 
secure when using T is also secure if T is replaced by tt. In its full generality, the 
definition is robust against adaptive adversaries and concurrent composition of 
protocols. 

All our protocols are in the 2-player case with information theoretic security. 
Here, the standard approach in previous research to security proofs has been 
to assume that either A or H is cheating, then prove some relevant security 
properties, and finally to prove that if both parties are honest, then the protocol 
“works correctly” . We express this in the UC framework by assuming an infinitely 
powerful non-adaptive adversary who from the start has corrupted no one, or 
either A or B. While we believe that our results extend to adaptive adversaries, 
we do not prove or claim this in this paper. Furthermore, if the noisy channel is 
a UNC, then the adversary is assumed to be active, i.e., can decide the corrupted 
player’s behavior. If the channel is a PassiveUNC, the adversary is passive. 

Another consequence of being in the two-player case, is that we do not think 
of our protocols as subroutines in a multiplayer protocol, nor are we worried 
about external observers, only about what a corrupted A or B might do or 
learn. We therefore assume that unless the adversary corrupts a player, he gets 
no information about the communication between A and B. At the cost of 
more complex proofs, our results extend to the case where the adversary always 
eavesdrops the error free channel. 

To prove that a protocol tt satisfies the UC definition, one has to construct, for 
every adversary Adv attacking the protocol in question, an ideal model adversary, 
or simulator S, which gets to attack an ideal scenario where only the players 
and T are present. The goal of S is to achieve “the same” as Adv could have 
achieved by an attack on the real protocol. In the framework, this is formalized 
by assuming an environment machine Z which can communicate in a real life 
attack with Adv and the honest players, and in the ideal model with S and the 
honest players. The protocol is said to be secure if for every adversary Adv there 
exists a simulator S', such that Z cannot tell if it is in the real-life or the ideal 
model. For details, see [2]. 

In proofs of this type of security, S usually works by running internally a 
copy of the adversary Adv, and passing interaction back and forth between Z 
and Adv with no change. If S can simulate with an indistinguishable distribution 
both the view of Adv attacking tt and simultaneously make the input/output 
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behavior of the honest players be as in the real attack, then Z will not be able 
to tell any difference. 

The noisy channels we study in this paper can very conveniently be mod- 
eled as ideal functionalities, and reductions that build one type of channel from 
another can be proved secure in this framework. Since the results we prove are 
information theoretic in nature, we modify the UC model as given in [2] by al- 
lowing our adversaries and simulators infinite computing power - but we stress 
that honest players can execute our protocols efficiently. 

3 Some Functionalities 

We can now specify our basic types of channels precisely but for completeness we 
start by describing the functionality for standard (l-out-of-2) OT as well as for a 
weak version as introduced in [7] with parameters 0 < p, g < 1 and 0 < e < 1/2: 

Functionality OT 

Send (&o,^i): The issuer of the Send command is called the sender, the other 
party is the receiver. On receipt of this command, the functionality records 
(bo,bi) and outputs “which bit?” to the receiver. It ignores all further com- 
mands until the receiver sends a “Choice” command. 

Choice c: Receiving this command from the receiver, the functionality sends 
be to the receiver if c G {0, 1} and otherwise ignores the command. 

For later convenience, we call the receiver’s choice c the selection hit and the bit 
b\-c (which is not revealed to the receiver) the secret hit. 

Functionality (p, q, e)-WOT 

Send (bo, bi): The functionality’s action on this command is the same as in OT. 
Choice c: If c ^ {0, 1} then the functionality ignores the command. Otherwise, 
it chooses be G {0, 1} such that Pr(he ^ be) = e and sends it to the receiver. 
Additionally, if the sender is corrupted, then with probability p it sends c to 
the sender, and if the receiver is corrupted, then with probability q it sends 
bi-c to the receiver. 

A (7, (5)-UNC is specified by the following functionality. 

Functionality (7, i5)-UNC 

Send b: The issuer of the Send command is called the sender, the other party 
is the receiver. On receipt of this command, the functionality records b and 
outputs a string “which error probability?” to the adversary. It ignores all 
further commands until the adversary sends an “Error probability” com- 
mand. 

Error probability e: Receiving this command from the adversary, the func- 
tionality checks if 7 < e < (5. If not, the command is ignored. Otherwise, it 
chooses a random bit b', such that Pr(b' = I) = e, and sends b = b (B b' to 
the receiver. 
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What we want to model here is intuitively that a corrupted player may influence 
the error rate or even block the channel. But if both players are honest, trans- 
missions will always go through, however, the error rate will fluctuate in some 
arbitrary way in the given interval. We therefore assume throughout about the 
adversary that if both players are honest, then the adversary will always give a 
legal error probability back when receiving a request from the UNC. 

As mentioned, the adversary is allowed to set the error probability to any 
value in [ 7 ..( 5 ] for every transmission. However, if the adversary corrupts a player, 
any attack he can do following, say, algorithm Alg can be simulated perfectly 
by an adversary that sets the error rate to 7 always, but adds artificial noise to 
any bit sent(received) in case Alg wanted a larger error rate. We may therefore 
always assume that an active adversary who corrupts A or B always sets the 
error rate of the UNC to 7 . 

We introduce some notation that will be convenient: if we cascade a BSC 
with error rate x and a BSC with error rate y, the result is again a BSC, we 
define a; ffl j/ to be the resulting error rate, a;(l — y) -I- (1 — x)y. Note that the 
operator ffl is commutative, associative and satisfies that if \x — x'\ < v, then 
|x ffl j/ — x' ffl ?/| < for all y. 

Functionality ( 7 , i5)-PassiveUNC 

Send hi The issuer of the Send command is called the sender, the other party is 
the receiver. On receipt of this command, the functionality chooses random 
bits h' , b", such that Pr{b' = 1) = 7 and Pr(h” = 1) = i^, where = 5. 

This ensures that Pr{b' ®b" = 1) = 5. The functionality sends b = bob' (Bb" 
to the receiver. If the adversary has corrupted a player, it sends to the 
adversary a bit z, where z = bob" A the sender is corrupted, and z = bob' 
if the receiver is corrupted. Intuitively, given z, the noise rate goes down 
to 7 . 

We need to consider the use of commitments and zero-knowledge proofs in 
our protocols. This can also be modeled by an ideal functionality, where one 
commits simply by giving the bit to the trusted party, who will then later open 
it on request from the committer. Furthermore, the trusted party will confirm 
that committed bits satisfy a given formula, if this is indeed true. 

Functionality Commit-and-prove (CaP) 

Commit cID,b: Receiving this command, where cID is a bitstring and 6 is a 
bit, do as follows: if no message containing cID has been received yet, record 
the value of cID, b and send as output Commit, cID to all players. 

Open cID: if cID, b has been received earlier from the player issuing this com- 
mand, send b to all players. 

Prove L,(P: Receiving this command, where L is a list of bit strings and <P is 
a Boolean formula, check if L contains only strings that has been used as 
identifiers for bits committed to by the issuer of the Prove command. If so, 
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find the corresponding bits and check if they satisfy If so, sends {OK, L, <P) 
to all players. Else, send {Fail, L,<P). 

As bit commitment scheme in our protocols, we will use the UNC-based 
construction from [7], which works assuming S < 27(1 —7) which we will assume 
throughout. This scheme is statistically close to perfect, regardless of A and B’s 
computing power. Furthermore, given any commitment scheme, one can always 
construct a new one, where one can prove in zero-knowledge that committed 
bits satisfy a given Boolean formula (see [11]). It follows that in any protocol 
where we assume access to a UNC, we may assume also a CaP without loss of 
generality. 

A final functionality that will come in handy is the ability to choose random 
bits and numbers with a prescribed distribution: 

Functionality RandomChoice 

Flip sID, ly: Here sID is a session ID and ly must be a probability. Once the 
functionality has received this command from every player containing iden- 
tical values of sID, v, it chooses a bit b at random such that Pr{b =\) = v 
and sends b to all players. 

Uniform, sID,j: Here sID is a session ID and j must be a natural number. 
Once the functionality has received this command from every player con- 
taining identical values of sID,j, it chooses i uniformly from [0..j — 1] and 
sends i to all players. 

Using standard techniques, one can implement this functionality based on the 
CaP, with a statistically good simulation. It should be noted that in our two- 
player scenario, functionalities such as RandomChoice can only be realized if the 
adversary is allowed to abort after seeing the output. But this is consistent with 
the UC framework, where adversary and simulator are indeed allowed to abort 
any time. 

4 Committed (Passive) UNC 

We first define informally the notion of a committed UNC. This is a protocol for 
players A, B, using a (7, i5)-UNC and an error free channel. We will assume that 

5 < 27(1 — 7), so that bit commitment can be done, based on the UNC. Note 
that if the UNC can only send bits from A to B, we can still simulate a UNC in 
the opposite direction using the error free channel, so that we can assume that 
both A and B can commit to bits without loss of generality. 

Intuitively, the purpose of a committed UNC is to act just like an ordinary 
UNC, but such that players are committed to the bits they send/receive on the 
UNC, at least except with some bounded probability. 

We now define this concept more formally: a committed UNC protocol may 
halt because A or B reject. Otherwise it outputs two commitments, one from 
A containing a bit b^, and one from B containing a bit bs- Finally, the output 
designates one of the transmissions that were made over the UNC from A to B. 
Let Syi resp. tb be the bit sent, respectively received in this transmission. 
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We require that if A, B both follow the protocol, then both players accept 
except with probability negligible in the security parameter k. Also, whenever 
A is honest, we have that is uniformly random and bA = sa- Whenever B 
is honest, we have tb = bs- When A is corrupted and B is honest, we let pA 
be the probability of the event that B accepts and bA ^ s a- Similarly, when B 
is corrupted and A is honest, we let pe be the probability that A accepts and 
Tb ^ bB- In general, the error probabilities pa,Pb will be functions of 7,(5 and 
the security parameter k. 

The argument sketched in [7] on constructing OT from UNC took as point 
of departure a protocol that builds OT from a ( 7 , 5)-PassiveUNC for certain 
values of 7,(5 and is secure assuming that players cheat only passively, i.e., are 
honest, but curious. It was then noted that one can replace the PassiveUNC 
with a UNC, still assuming that only passive cheating occurs. The final idea 
was then to replace the UNC with a committed UNC (although this notion 
was not formally defined there) and have players prove in ZK that they were 
following the protocol. If the error probabilities of the committed UNC could 
be made arbitrarily small with increasing k, then this would result in an OT 
secure against active cheating for essentially the same values of 7 , 6 that could 
be handled in the passive case. But unfortunately, this is impossible: 

Theorem 1. Any committed UNC as defined above, based on a ( 7 , 6 ) -UNC must 
have pa,Pb > 

Proof. Suppose, for instance, that A is cheating. Then A sets always the minimal 
noise level for the UNC, but adds artificial noise to each transmission with 
noise rate such that the total error probability for each transmission is 

jE^ ffl 7 = (5. On the resulting transmissions, he runs a copy Aq of the honest 
algorithm for A. Clearly, B (who is honest) cannot distinguish this from an all 
honest situation where the noise rate happens to be 6 all the time, and so he 
must accept with overwhelming probability. However, it now holds for every 
transmission that the bit committed to and also sent by Aq, differs from the one 
A actually sent with probability jE^- Th® theorem follows. □ 

Theorem 1 essentially says that we cannot force a player to commit to the bit 
he physically sends on a UNC. To get around this problem, we take a different 
point of view: we will create a new virtual channel from the UNC, where a bit 
committed to by the sender is by definition the bit sent on the new channel. 
Any difference between the committed bit and what is sent on the original UNC 
is regarded as noise. With appropriate checking that a cheating player does 
not introduce too much noise this way, it turns out that we obtain something 
that behaves as essentially like a PassiveUNC, even in presence of active 
cheating. We model this by an ideal functionality called ( 7 , (5, ( 7 ())-Committed 
PassiveUNC (CPUNC). It combines a functionality similar to the PassiveUNC 
with the Commit-and-Prove functionality. In particular, it allows to commit 
to bits with or without sending them on the channel. But if they are sent, 
sender and receiver will be committed to what they send/receive. With security 
parameter k, the error rate will be in the range 6 ± l/q{k), but will drop to 7 
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given the view of a cheating player. Note that a CPUNC is not a committed 
UNC, and so Theorem 1 does not forbid the existence of a secure implementation. 

Functionality (7, (5, g())-CPUNC 

Stop. On receiving this command from the adversary, the CPUNC stops work- 
ing and ignores all further commands. 

Send cID,b: CPUNC comes with parameters 0 < 7 < <5 < 1/2, a security 
parameter value k and a polynomial g(). The issuer of the Send command 
is called the sender, the other party is the receiver. The string cID must 
not have been used before to identify a sent, received or committed bit, 
else the command is ignored. On receipt of this command from A or B, the 
functionality records cID,b and outputs a string “which error probability?” 
to the adversary, it ignores all further commands until the adversary sends 
an “Error probability” command. 

Error probability k'i Receiving this command from the adversary, the func- 
tionality checks if I (5 — k' I < \/q{k). If not, the command is ignored. Other- 
wise, the functionality chooses random bits h' ,h" , such that Pr{b' = 1) = 7 
and Pr{b” = 1) = 1 ^, where j/ffl7 = k' . This ensures that Pr{b'(Bb” = 1) = k'. 
The functionality sets b = b(Bb'(Bb". If the adversary has corrupted a player, 
it sends to the adversary a bit z, where z = 6© 6" if the sender is corrupted, 
and z = & © &' if the receiver is corrupted. It records cID,b as if the sender 
had committed to b. It then sends cID to all players, and ignores all further 
commands until the receiver sends a ’’ReciptID” command. 

ReceiptID cID: This command is ignored if cID has been used to identify any 
committed, sent or received bit earlier. If this is not the case, the CPUNC 
records cID,b as if the receiver had committed to b, it sends cID to all 
players and b to the receiver. 

Commit cID,b: Receiving this command, where cID is a bitstring and 6 is a 
bit, do as follows: if cl D has not been used to identify a sent, received or com- 
mitted bit before, record the value oi cl D,b and send as output Commit, cID 
to all players. 

Open cID: if cID, b has been recorded as a commitment from the player issuing 
this command, send b to all players. 

Prove L,<P-. Receiving this command, where L is a list of bit strings and <P is 
a Boolean formula, check if L contains only strings that has been used as 
identifiers for bits committed to by the issuer of the Prove command. If so, 
find the corresponding bits and check if they satisfy If so, sends {OK, L, K) 
to all players. Else, send {F ail , L , <P) . 

We now describe a protocol that securely realizes the functionality we just 
described. We assume that the protocol has access to the UNC, CaP and Ran- 
domChoice functionalities. The protocol is described by specifying how each of 
the commands are implemented. The amount of work done in the protocol is 
specified by a polynomial p{k), where k is the security parameter. 
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Stop. This command has no direct implementation, the idea is that when- 
ever the adversary behaves such that the honest party detects cheating and 
aborts, this is equivalent to sending a Stop command in the ideal scenario. 
Send (Transmission Step). We describe how A will send a bit b to B. 

1. A commits to b 

2. A chooses at random bits B = b\, ...,b^.p(^f^'j3, commits to each bit 
and sends each bit to B over the UNC. B commits to every bit 
B = bi, bkp(k)3 he receives. 

3. Call RandomChoice kp{k)'^ times to generate integers ji chosen uni- 
formly in the range [l..kp{k)^], for z = 1, ...,kp{k)^. 

4. All bits bj^,bj^ are opened. Let k be the fraction of the kp{k)^ opened 
positions where bj^ yf bj^. A and B check that k < 6 + l/p{k). They 
abort all interaction if this is not satisfied. 

5. Call RandomChoice to generate an integer j uniformly chosen among 
the indices of positions that were not opened in the previous step. A 
sends b' = b (B bj using error free transmission and proves (using CaP) 
that this value is correct. 

6. Let p be defined by k ffl /x = <5 -I- l/p{k). By a call to RandomChoice, 
generate a bit c such that Pr(c = 1) = p. 

7. B defines the bit he receives as 6 = bj © &' © c. He commits to b and 
proves (using CaP) that the committed value is correct. 

If B wants to send a bit to A, we implement this in the same way as above, 
by interchanging the roles of A and B and of bj and bj . 

Commit, Open, Prove. Each of these commands correspond directly to com- 
mands that are already available in the Commit-and-Prove functionality 
we assume we have access to. Therefore these commands are implemented 
by directly calling the corresponding command with the same input in the 
Commit-and-Prove. Note that inputs to the Prove or Open command may 
include bits that were sent or received during a Send command, since these 
are also committed to. 

Before proving anything about this construction, we describe first the intu- 
ition behind it: for bit strings A, Y of equal length, let err{X, Y) be the fraction 
of positions where X disagrees with Y. Now, if both parties are honest, the ex- 
pected value of err{B, B) is at most 5, so allowing the estimate k to be up to 
S+l/p{k) implies that we reject with negligible probability, as we shall see. Then 
assume that one player, say A, is corrupted, and let B = 6i, ..., bkp(k)^ be the bits 
actually sent by A on the UNC when a bit is transmitted. Let e = err{B,B). 
Since the UNC introduces errors with probability 7 independently of anything 
else, we expect that effly « err{B,B) « k, and hence that eS’-fSpfVKSpfaS. 
Here, « means equality up to a \/poly{) term. 

We can now see that after doing the transmission step, A is actually in a 
position approximately equivalent to having sent 6 on a (7, (j)-PassiveUNC: we 
have that the bit b sent is related to the bit b received as b = b(B{bj(Bbj)(Bc(Bnj, 
where rij is a noise bit chosen by the UNC, such that Pr{nj = 1) = 7. By the 
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choice of c, and random choice of j, we have 

Pr{b ^ b) = Pr{{bj © © c © rij = 1) « e ffl /r ffl 7 « k ffl /i « (5. 

But since the adversary knows {bj © © c, the error rate from his point of view 

is only what is introduced by the UNC, namely 7 . 

In the full paper [ 6 ] we show the theorem below. First, some terminology to 
state the result: we say that a simulator (in the UC framework) is non-blocking, 
if it stops the CPUNC (by sending a stop command or refusing to give correct 
input when asked for it) with only negligible probability. 

Theorem 2. The Committed Passive UNC protocol securely realizes the 
{j, 6, q{))-CPUNC functionality when given access to ideal {^,6)-UNC, CaP and 
RandomChoice functionalities, and for any polynomial g(), provided we choose 
the polynomial p{) measuring the work done in the protocol as p{k) = 4,q{k). 
Moreover, for the case where both players are honest, the simulator is non- 
blocking. 

Remark 1. The last claim in the theorem is a way to state in the UC framework 
the traditional completeness property for a 2 -party protocol: if both players are 
honest, the protocol completes successfully with overwhelming probability. 

5 Prom Passive to Active Security 

In this section, we sketch a proof of the following result: 

Theorem 3. Let tt be any protocol that securely realizes OT based on a ( 7 , 5)- 
PassiveUNC assuming a passive adversary. Then there exists a protocol with 
complexity polynomial in that of tt that also securely realizes OT based on a 
{'j,6)-UNC, assuming an active adversary. 

So we assume we have a protocol tt that implements Oblivious Transfer given 
access to a ( 7 , (i)-PassiveUNC functionality, and that this protocol is secure 
against a passive adversary. 

We then note that the previous section showed how to implement the CPUNC 
functionality based on the UNC. Therefore from tt, we may construct a protocol 
TT as follows: active cheating is prevented by first making players commit to 
all inputs, and furthermore, the random coins of a player are decided using a 
standard trick: the player in question commits to a random string a, the other 
player sends a random string b in the clear and the random coins to be used are 
a(B b. Second, all transmissions over the PassiveUNC now take place using the 
CPUNC, and each time something is sent, you use the CPUNC to prove that 
what was sent was computed according to tt with the given (committed) inputs, 
random coins and messages received earlier. 

Note that a player trying to send an incorrect message will be caught with 
certainty. Therefore, the views obtained by the players are always (a possibly 
truncated version of) what would be obtained in presence of a passive adversary. 

Our first goal will be to show that tt implements a weak form of OT (which 
then implies standard OT), namely a {p, q, e)-WOT as defined in Section 3. 




366 I. Damgard et al. 



Lemma 1. n as described above realizes (with statistically good simulation) a 
(p, q, e)-WOT with p = q = e = 3/k, when tt is executed with security parameter 
value k. 

Proof. (Sketch) The above discussion implies that we only have to show the 
lemma for a passive adversary: the only difference between a passive and an 
active attack on tt is that the adversary may stop early in the active case, and 
this can never be prevented in an active attack. Assuming a passive adversary, 
the only difference between tt and tt is that tt does not use a ( 7 , <5)-PassiveUNC 
but a ( 7 , 6, /())-CPUNC where the adversary can make the error probability 
fluctuate slightly around S. This fluctuation is not negligible, namely it is of size 
l//(fc). However, by Theorem 2, we can choose /() to be any polynomial we 
like, so assuming tt calls the PassiveUNC t{k) times, for some polynomial t{), 
we choose f{k) = kt{k). 

Consider the view of a (passively) corrupted sender in tt, represented by 
random variable V. Let advT^{k,v) be the advantage over 1/2 with which the 
selection bit can be guessed given that V = v and the protocol was executed 
with security parameter value k. Let adu^(fc) = ^yPr{V = v) ■ advT^{k,v) be 
the expected value. Since tt was assumed to be secure, advT^{k) is negligible 
in k (this is equivalent to asserting that the mutual information between the 
selection bit and V is negligible). Then define a particular possible value v of 
V to be good if advTr{k,v) < ^/adv)(fk), and let E be the event that V takes 
a bad value. Then clearly, E occurs with probability at most y/advT^{k). We 
now define t{k) + 1 hybrids that are in between tt and tt: namely in the i’th 
hybrid, where i = 0..t{k), we run the normal protocol, but for communication, 
we use a ( 7 , <5)-PassiveUNC for the first i calls to the communication channel, 
and then the ( 7 , <5)-CPUNC for the rest. Then hybrid 0 is tt while hybrid t{k) is 
TT. When executing hybrid i, we define Ei to be the event that the information 
contained in the sender’s view about the selection bit is larger than advT^{k). 
Let 6i be the probability that Ei occurs. Of course et(k) = Pr{E) < y^advTr{k). 
Also, the only difference between hybrid i and z + 1 is that in the i + I’st 
call to the communication channel, the results returned by the channel have 
distributions with statistical difference at most 2//(fc) between them. It follows 
that \ci — ti+i\ < 2/ f{k), and hence cq < + 2t{k)/ f{k) < ^/adv)((lt) + 2/k. 

The “OT”, that tt implements is therefore no worse than a protocol that with 
probability, say 3/fc reveals the selection bit to the sender, and otherwise leaks 
a negligible amount of information. A similar argument holds for the view of a 
corrupted receiver; also this type of argument shows that an honest receiver will 
receive the correct bit, except with probability at most Z/k. Thus what we have 
is statistically indistinguishable from a {p, q, e)-WOT, with p = q = e = i/k. □ 

We can then complete the argument for the theorem: In [7], a reduction is 
shown that implements OT based on any {p, q, e)-WOT, as long as p + q + 2e < 
0.45. Moreover, it is easy to verify that by choosing k large enough the reduction 
implements OT efficiently, i.e., it only makes a polynomial number of calls to 
the underlying WOT. Therefore, by the above lemma, we can replace the WOT 
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by 7T and still obtain a secure OT (even though tt is only statistically close to 
the required WOT). This implies the result we wanted. 



6 Extended Positive Results 

In this section, we shall assume the result of Theorem 3 and focus on reducing 
OT to (7, (i)-PassiveUNC securely against passive adversaries. The strategy of 
[7] is as follows. First, the (7, (i)-PassiveUNC is used to construct an imperfect 
version of OT which may leak information about the parties’ private inputs. 
This imperfect OT is modeled by a WOT. OT is then shown to be reducible to 
WOT for certain values of (7, 6). 

However, WOT does not precisely capture the imperfect OT obtained in the 
construction: In WOT the corrupted sender/receiver gets the selection/secret 
bit (which he is not supposed to see) with a certain probability, while in the 
imperfect OT obtained the corrupted sender/receiver only gets some informa- 
tion about that bit with a certain probability. As a consequence, in order to 
fit the imperfect OT into the WOT model, it is assumed in [7] that every time 
the dishonest sender/receiver gets some information about the selection/secret 
bit, he actually gets full information. Hence, the information leakage is overesti- 
mated in [7]. We introduce a new Generalized Weak Oblivious Transfer ( GWOT) 
primitive which allows to model imperfect OTs which leak information about 
the parties’ private inputs in a much more general way than WOTs, without 
overestimating the information leakage. In particular, it precisely captures the 
imperfect OT resulting from the construction of [7]. Informally, in a GWOT the 
corrupted sender/receiver gets the selection/secret bit over a BSC with some er- 
ror probability which is chosen according to some distribution (and announced 
to the corrupted party). Formally, consider parameters and {rj,/3i}j, 

where i = 1, . . . ,N , and e such that {si}i and {ri}i are probability distributions 
(over {!,... , N}) and 0 < Oj, /?,, e < 1/2 for t = 1, . . . , A^. A GWOT with re- 
spect to these parameters is specified by a functionality of the following kind. 
Funct ionality ( { ( Si , a* ) 1 ; { (r* , /?i ) 1 ; e) - G WO T 

Send (&o, &i): The functionality’s action on this command is the same as in OT. 
Choice c: If c ^ {0, 1} then the functionality ignores the command. Otherwise, 
it chooses 6c G {0, 1} such that Pr{bc yf be) = e and sends it to the receiver. 
Additionally, if the sender is corrupted, then it chooses / G {1, • ■ • ,N} and 
c G {0,1} such that Pr{I = i) = s* and Pr{c ^ c \ I = i) = ai, and it 
sends / and c to the sender. And/or, if the receiver is corrupted, then it 
chooses / G jl,--- ,N}, and bi-c G {0,1} such that Pr{I = i) = n and 
Pr{bi-c yf 6i_c \ I = i) = (3i, and it sends / and 6i_c to the receiver. 

We will say that a corrupted sender gets c “sent through {(sj, 0^)})/,;^” and 
similarly a corrupted receiver gets 6i_c “sent through {{ri, 

Note that there is some ambiguity in the functionality’s action in that it is not 
required that be is chosen independently of I and c, respectively of I and 6i_c, as 
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long as the marginal distribution of be is correct. Furthermore, a {p, q, e)-WOT 
coincides obviously with a ({(p, 0), (1 —p, 1/2)}; {(q, 0), (1 — q, 1/2)}; e)-GWOT. 

It will be convenient to introduce a GWOT of a very particular form, a 
Special Generalized Oblivious Transfer (SGWOT). Informally, in a SGWOT the 
corrupted sender/receiver either gets no information on the selection/secret bit 
or he receives it over a BSG with a certain (fixed) error probability. Formally, 
for parameters s, a, r, (3, e with 0 < s, r < 1 and 0 < a, /? < 1 / 2 , 

((s, a), (r, /3), e)-SGWOT ({(s, 1/2), (1-s, a)}; {(r, 1/2), (1-r, /?)}; e)-GWOT. 

Gonsider the reduction of WOT to ( 7 , J)-PassiveUNG given in Appendix A 
of [7]. As mentioned above, this construction actually results in a GWOT (which 
is modeled by a WOT by giving away information to the adversary) . As a matter 
of fact, as can easily be seen, it results in a SGWOT. The following Lemma 
expresses the parameters of the resulting SGWOT as a function of ( 7 , i5). For 
convenience, we write p = such that 7 ffl /r = 5. The proof of the Lemma 

follows by straightforward analysis of reduction WOTfromPassiveUNG of [7]. 

Lemma 2. When run with a S)-UNG, reduction WOTfromPassiveUNG de- 
fined in [7] produces a ((s,a), {r, (3), e) -SGWOT with the following parameters: 

^ 7(1 - 7)(7" + (1 - + 6m^(1 - u? + (1 - OO ^ 47^(1 - 7 )" . . 

<5(1 - 5)(<52 + (1 - <5)2) ’ Je - -f'^) + (I - 

7(l-7)O^ + (l-O0 3 7^ 

5(1-5) + 

s'^ + ii-sy 

We have expressed the parameters of ((s, a), (r, /3), e)-SGWOT with that of 
the underlying ( 7 , (5)-PassiveUNG. Now we would like to exploit the machinery 
of [7] in order to reduce OT to SGWOT. A composition of three basic reductions 
is used in order to transform a WOT into an OT. The first reduction, S-Red(Z) 
decreases the sender’s information about the selection bit by executing WOT 
I times such that the final selection bit is the parity of all selection bits used 
during the I executions (this reduction was introduced in [5]). The second reduc- 
tion, R-Red(Z), decreases the receiver’s information about the bit that was not 
selected by encoding it into the parity of I transmissions. The final reduction, 
E-Red(l), decreases the error rate by executing I identical transmissions through 
a WOT. Every of these reductions transforms the WOT into a new one (with 
new parameters), and it is shown in [7] that for certain initial parameters the 
sequence of WOTs converges to an OT (in some well defined meaningful sense). 

In [7], the ((s, a), (r, /3), e)-SGWOT obtained after invoking WOTfromPas- 
siveUNG was modeled by a (1 — s, 1 — r, e)-WOT. I.e., in order to fit the imperfect 
OT into the WOT framework, the error probabilities a and [3 were assumed 
to be zero by giving the corrupted party some information for free. Glearly, a 
tighter analysis should avoid this kind of strengthening of the corrupted party 
for proof-technical conveniences. A straight forward approach would be to try to 
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show that for certain initial parameters, the sequence of GWOTs, resulting by 
applying the S-, R- and E-Red reductions to the initial SGWOT, converges to 
an OT. Unfortunately, as the reduction of OT to WOT defined in [7] is executed, 
the shape of the GWOTs becomes quickly very complex and difficult to analyze. 
In order to avoid this problem, we give a generic way to replace a (possibly very 
complex) GWOT by another (ideally simpler) one such that if the new GWOT 
allows for OT then the initial GWOT also allows for OT; however, in contrast to 
the strategy of [7] of simply setting the error probabilities to zero, we are trying 
to be much more tight. 

Next definition introduces a partial ordering among probability distribu- 
tions over BSGs, i.e. among sets of the form {(sj, «i)}i or {(r^, (ii)}i as considered 
above, that will be shown (in Lemma 3) to capture the relative difficulty to gen- 
erate OT using the reduction considered in [7]. Intuitively, we say that S ^ S' 
if S can be transformed into S' by removing BSGs in S and replacing each of 
them by a Bernoulli distribution over 2 BSGs such that the average guessing 
probability for the bit sent through S is the same as when sent through S' . 

Definition 1. Let S = {{Pi,ei)}iLi md S' he two probability distributions over 
BSCs. We say that S ^ S' if there exists 1 < i < N as well as 0 < <5 < 1 and 
0< €“<€<£■*■ <1/2 such that 

1. S' is of the form S' = S \ {{pi,ee)} U {((1 - S)pe,e~), {6pi,e+)} and 

2. ee = e = {1 — 6) ■ e~ + 6 ■ e+, 

or if there exists a sequence S = S'o, S\, . . . , Sk = S' of probability distributions 
over BSCs such that S^-i < S^, in the above sense for n = 1, . . . ,k. 

Note that in case ej = Ck for some 1 < j < fc < N, we identify S = {{pi, £i)}i^i 
with S* = S \ {{pj, Cj), {pk, £fc)} U {{pj + Pk, O')}- This is justified in that it is 
immaterial in our context whether a bit is sent thorough S or through S* . 

The next lemma, a proof of which can be found in the full paper [6], shows 
that the partial ordering S ^ S' means that as long as reductions S-Red, R-Red, 
and E-Red are concerned, S is easier to deal with than S' . 

Lemma 3. If OT can he reduced to {S'; R';e)-GWOT by a sequence of reduc- 
tions S-Red, R-Red, and E-Red, then OT can be reduced to any {S; R; e)-GWOT 
with S ^ S' and R ^ R' . 

One application of Lemma 3 allows to improve the analysis of [7]. As we have 
seen in Lemma 2, the imperfect OT obtained from a UNG using reduction 
WOTfromPassiveUNG produces a ((s, a), (r, /?), e))-SGWOT. Using Lemma 3 
it is straightforward to verify that we can replace this SGWOT by a {ps,qr,e)~ 
WOT with = (1 — s)(l — 2a) and qr = {1 — r)(l — 2/3). Indeed, for in- 
stance the corrupted sender’s guessing probability for the selection bit is in the 
first case s/2 -|- (1 — s)(l — a) = 1 — s/2 — a -\- sa and in the second case 
Ps -I- (1 — Ps)/2 = 1 — s/2 — a-\- sa. Applying Lemma 5 of [7] (OT is possible 
based on (p, q, e)-WOT if p -|- g -|- 2e < 0.45) to the transformed SGWOT results 
in the following Lemma. 
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Lemma 4. The reduction from OT to WOT of [7] implements OT from any 
((s, a), (r, (3), e) -SGWOT with Ps + Qr + 2e < 0.45, where Ps = (1 — s)(l — 2a) 
and Qr = (1 — r)(l — 2/3). 

Combining Lemmas 4 and 2, gives directly the following result: 

Lemma 5. OT may he reduced to {j,S)-PassivelINC if Ps + Qr + 2e < 0.45, 
where Ps = (1 — s)(l — 2a), = (1 — r)(l — 2/3) and s, a, r, (3, e are defined by 

equations (l)-(3). 

Note that [7] only guarantees that OT can be achieved ii p + q + 2e < 0.45 
where p = 1 — s and q = 1 — r. Hence, the possibility range given in Lemma 5 
strictly contains the one obtained in [7]. 

Despite this improvement, Lemma 5 still shares the following restriction 
with [7]. OT cannot be provably achieved for 5 > 0.35 even when 7 is almost 
equal to 6 (i.e. the resulting UNC has almost no unfairness) since in that case 
e > 0.45 (see Figure 1). This stands somewhat in contrast to the fact that OT 
can be achieved based on any (non-trivial) BSC [4,12,15]. Hence, one would ex- 
pect that OT can be achieved based on any (non-trivial) UNC as long as the 
unfairness is small enough. The following lemma shows that this is indeed true. 

Lemma 6. There exists a reduction from OT to any {j,S)-PassiveUNC that 
satisfies 1 — (1 — psf -I- 1 — (1 — qrf + 2 < 0.45 for some I > 1, where 

Ps = (1 — s)(l — 2a) and qr = (1 — r)(l — 2/3) with s, a, r, /3, e defined by (1 )~(3). 

Clearly, for any 0 < <3 < 1/2, for I large enough, and for 7 close enough to 6 
(where the closer <5 is to 1/2, the closer 7 has to be to 6), the values Ps and qr 
are small enough for the condition expressed in Lemma 6 to be satisfied. Hence, 
OT is possible based on (7, 5)-PassiveUNC’s for any 0 < (5 < 1/2 as long as 7 is 
close enough to 6 (see Figure 1). This further improves on [7]. 

Proof We implement a ((s, a), (r, /3), e)-SGWOT from the (7, <3)-PassiveUNC 
according to Lemma 2. Then, by Lemma 3, we convert it into a (ps, qr, e)-WOT 
before applying the reduction E-Red(/) [7] with parameter 1. As shown in [7], this 
results in a (1 — (1 — p^)/ 1 — (1 — qrY, pqr^n^)“WOT. The claim now follows 
from the above. □ 

It can be shown by straightforward calculations that the new possibility range 
includes UNO’s for which the techniques of [7] results in a “simulatable” WOT 
(i.e., a trivial WOT), that is, could not be used to implement OT (see Lemma 1 
from [7]). In other words, our approach allows to implement and prove secure 
OT in a range where it is provably impossible using the techniques of [7]. The 
following example illustrates this. 

Example 1. Let 70 = 0.39, So = 0.4 be the parameters of a PassiveUNC. The 
(p(7o, (5o)) 9(70, ^0)) e('^o))-WOT obtained from a (70, <3o)-PassiveUNC the crude 
way (by giving away all partial information to the adversary as in [7]) achieves 
p{lo, <3o) + 9(70, ^0) + 2e((5o) « 0.869. It can be shown that from this WOT, any 
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sequence of reductions S-, R- and E-Red generates a simulatable WOT, i.e., OT 
is not reducible to the (p(7o, <5o)) '^o); e(<^o))-WOT using S-, R- and E-Red. 

At the same time, the (ps(7o, i5o), <Zr(7o! <5o)j e('^o))-WOT (obtained according 
Lemma 3) achieves Ps{jo,So) + <Zr(7o,<5o) + 2e(i5o) « 0.671. Moreover, E-Red(2) 
applied to this WOT generates a (p', g', e')-WOT with p' + q' + 2e' « 0.438, 
which we know from Lemma 5 implies OT. 

There exists an even larger range than the one described in Lemma 6 for 
which a possibility result can be shown. This follows from the fact that the 
approach of Lemma 6 still gives information for free to the adversary. Indeed, 
the SGWOT obtained from a (7, 5)-PassiveUNC is converted into a (ps,<Zr,e)- 
WOT before reductions S-Red, R-Red and E-Red are applied. We may benefit 
from trying preserving the SGWOT through the sequence of reductions. 

The problem is that the reductions do not preserve the SGWOT per se 
but produce more complex GWOTs with a quickly growing set of parame- 
ters. An approach is to use Lemma 3 in order to immediately convert any re- 
sulting GWOT (which is not a SGWOT) back into a SGWOT. Specifically, a 
({(si, ai)}i; {{n, Pi)}i; e)-GWOT can be replaced by a ((s, a), (r, /3), e)-SGWOT, 
where a = Tahii{ai} and f3 = mini{/3j}, and s and r are appropriately chosen 
such that {(si,o;i)}i ^ {(s, 1/2), (1-s, a)} and {(r*,/?*)}* ^ {(r, 1/2), (1-r, /?)}. 
This indeed results in an increased possibility range: 

Lemma 7. There exists a range of values (7, S) which do not satisfy the condi- 
tions of Lemma 6 but where OT can still be implemented from such {'j,S)-UNC’s. 

Proof, (sketch) By brute force analysis for any fixed value of 5 q, 0 < < 1/2, we 

find the smallest value of 70, such that a SGWOT based on (70, (5o)-PassiveUNG 
can be reduced to a SGWOT with ps-\-qr-\-2e < 0.45 using the reductions S-Red, 
R-Red and E-Red, and replacing any GWOT by a SGWOT as sketched above. 

For example, let 70 = 0.365, Sq = 0.4. The value Ps+qr + 2e of the SGWOT 
resulting from (70, <5o)-PassiveUNG is equal to 0.793. It is easy to check that the 
conditions of Lemma 6 are not satisfied with respect to this SGWOT. Nonethe- 
less, the sequence of reductions “EERSRESERRSESRERSESERRS” (each with 
parameter I = 2) produces as output a SGWOT with ps-\-qr + 2e = 0.329 which 
implies OT according Lemma 5. □ 

Using brute-force analysis, it is possible to find experimentally the range for 
which the reduction considered in Lemma 7 produces OT. The new range is 
depicted on Figure 1. 

On the other hand, even the approach described above is limited in power. 
The following example suggests that in order to get a possibility result closer to 
the (7, J)-PassiveUNG simulation bound S = 27(1 — 7) from [7], one has to find 
different reduction methods and/or analytical tools. 

Example 2. Let 70 = 0.33, <5q = 0.4. A SGWOT based on (70, <5o)-PassiveUNG 
has the potential Ps(7o,<^o) + Qr(7o,<^o) + 2e(So) « 0.949. It can be shown by 
brute force analysis that whatever sequence of reductions S-, R- and E- Reduce 
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applied with whatever parameters, it always results at some point a SGWOT 
with ps + Qr + > 1. 

We stress that in contrast to a {p, q, e)-WOT with p + q + 2e > 1, a, SGWOT 
with ps + qr + “2e > 1 is not proven to be simulateable; however, it seems to be 
a very strong indication that OT cannot be based on such a SGWOT. 

7 Conclusion and Open Questions 

In this paper, we have shown how to transform any OT protocol secure against 
passive adversaries given access to a PassiveUNG into one that is secure against 
active adversaries given access to a standard UNG. This is possible since any 
non-trivial UNG allows for bit commitment as it was shown in [7]. Our transfor- 
mation is general enough to be applicable to a wider class of 2-party protocols. 
Applying it to a passively secure protocol tt implementing task T given access to 
a PassiveUNG produces an actively secure protocol tt' that implements T given 
access to a UNG, however, tt' may fail with non-negligible (1/poly) probability. 
When T is OT, this can be cleaned up using known techniques, in general T can 
be any task where such “cleaning” is possible. 

We have also provided a more refined analysis for the reduction of OT to 
(7,(5)-UNG introduced in [7]. As a result, OT is now possible based on a signifi- 
cantly larger range of (7, 6) than what was known before. Unfortunately, we also 
show the approach has limits that even a more careful analysis cannot overcome. 
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Thus, a grey area is left where no positive or negative results are known to apply. 

Closing this gap is the obvious open problem suggested by this work. 
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counterpart in at least one important way: Given blak-box access to a 
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computational assumptions. A natural question therefore arises: What 
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secure commitments are used instead of perfect ones? 
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binding string commitments are available. In particular, we analyse the 
security of a primitive called Quantum Measurement Commitment when 
it is constructed from unconditionally concealing but computationally 
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We reduce the security of QMC to a weak binding criteria for the string 
commitment. We also show that secure QMCs implies QOT using a 
straightforward variant of the reduction above. 



^ Funded by the Danish National Research Foundation. 

* FIGS, Foundations in Cryptography and Security, funded by the Danish Natural 
Sciences Research Council. 

* Part of this research was done while visiting University of Arhus and was funded by 
Quebec’s FQRNT and MDER, and Canada’s NSERC and MITACS. 

** Part of this research was funded by NSERC 
* * * This work has been supported in part by the National Science Foundation under 
Grant No. EIA-0086038. 

^ Part of this research was funded by European projects QAIP and PROSECCO. 



Naor (Ed.): TCC 2004, LNCS 2951, pp. 374-393, 2004. 
Springer- Verlag Berlin Heidelberg 2004 




Computational Collapse of Quantum State 375 



1 Introduction 

Quantum 2-party cryptography differs from its classical counterpart in at least 
one important way: Given blak-box access to a perfect commitment scheme there 
exists a secure 1 — 2 quantum oblivious transfer (i.e. 1-2 QOT) scheme [6,3,4]- 
Classically, it is known that such a reduction is unlikely to exist [10]. By 1- 

2 QOT we mean a standard oblivious transfer of two classical messages using 
quantum communication. In [6], Crepeau and Kilian have shown how 1-2 QOT 
can be obtained from perfect commitments (i.e. the CK protocol). The secu- 
rity analysis of the CK protocol was provided by Crepeau in [4] with respect 
to receivers restricted to perform only immediate and complete measurements. 
The assumption was relaxed in [15] by showing that privacy for the sender is 
garanteed against any individual measurements applied by the receiver. The se- 
curity against any receiver was obtained by Yao in [20]. This important paper 
provides a full proof of security for 1-2 QOT when constructed from perfect com- 
mitments under the assumption that the quantum channel is error- free. Yao’s 
result was then generalized by Mayers [13] for the case of noisy quantum channel 
[3] and where strings are transmitted instead of bits. Mayers then reduced the 
security of quantum key distribution to the security of such a generalized 1-2 
QOT. If 2-party cryptography in the quantum world seems to rely upon weaker 
assumptions than its classical counterpart, it also shares some of its limits. As 
it was shown in [12,14,11], no statistically binding and concealing quantum bit 
commitment can exist. On the other hand, quantum commitments can be based 
upon physical]!?] and computational[8,7] assumptions. A natural question arises: 
What happens to the security of the CK protocol when computationally secure 
commitments are used instead of perfect ones? It should be stressed that Yao’s 
proof does not apply in this case since it relies heavily upon the fact that the 
commitment scheme is modelled by a classical black-box (i.e. one with classical 
inputs and outputs) . The proof is information theoretic provided the sender and 
the receiver have black-box access to perfect commitments. For Yao’s proof to 
apply, the committing phase should be modelled by the transmission of a clas- 
sical bit to a third party who conceals it to the receiver until the opening phase. 
Although any unconditionally binding commitment scheme defines such a clas- 
sical bit, unconditionally concealing commitments do not (i.e. both committed 
values can be explained by the information provided to the receiver). In this 
paper, we address the security of 1-2 QOT when computationally binding string 
commitments are available. In particular, we analyse the security of a primitive 
called Quantum Measurement Commitment (i.e. QMC) when it is constructed 
from unconditionally concealing but computationally binding commitments. We 
reduce the security of QMC to a weak binding criteria for the string commit- 
ment. We also show that secure QMCs implies 1-2 QOT using a straightforward 
variant of the CK protocol. It follows that unlike Yao’s proof (and the proof in 
[15]), our security proof applies when computionally binding commitments are 
used. 

The CK protocol can be seen as a quantum reduction of 1-2 OT to bit com- 
mitment. To see how it works, consider the BB84 coding scheme[2,6] for classical 
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bit b into a random state in { I6)_|_, I6)x}- d G {+, x} used to encode b into 
the quantum state 16)^, is called the transmission basis. Since only orthogonal 
quantum states can be distinguished with certainty, the transmitted bit b is not 
received perfectly by the receiver, Alice, who does not know the transmission 
basis. The coding scheme also specifies what an honest Alice should be doing 
with the received state \b)ff. She picks 9 Gr {+, x} and measures \b)g with 
measurement Mg that distinguishes perfectly orthogonal states I0)g and ll)g. If 
Bob and Alice follow honestly the BB84 coding scheme then b is received with 
probability 1 when 9 = 9 whereas a random bit is received when 9 9. In other 

words. If Bob announces the transmission basis a the end of the transmission 
then the BB84 coding scheme implements a Rabin’s oblivious transfer [16] from 
Bob to Alice provided she is honest. Otherwise, Alice can easily cheat the pro- 
tocol by postponing the measurement until the basis is announced. In this case 
she gets the transmitted bit all the time. In order to make the BB84 transmis- 
sion resistant to active adversaries, the CK protocol uses n BB84 transmissions 
where for each of them, Alice is asked to commit upon the measurements and 
outcomes prior the announcement of the transmission bases by Bob. 

We call Quantum Measurement Commitment (or QMC) the primitive that 
allows Alice to provide Bob with evidences of measurements she claims having 
performed on n BB84 qubits before the announcement of 9 G {-I-, x}". Imple- 
menting a QMC is simply done by sending a string commitment containing (0, b) 
to Bob where 9 G {-I-, x}” is the measurements Alice claims having performed 
and 6 G {0, 1}” are the outcomes. 

The classical bit encoded in the transmission is defined as the value of some 
predicate f{bi,... ,&„). Once the QMC has been performed, Alice should be 
unable to evaluate /(6i, . . . , 6„) even given the knowledge of the transmission 
bases 9. A computational collapse occurred if, given the transmission basis 9, 
/(6i, . . . ,bn) cannot be determined efficiently. 

The CK protocol constructs a 1-2 QOT from a QMC with /(6i, . . . , 6„) = 
®2=ibi- A QMC is therefore a universal primitive for secure 2-party computation 
(of classical functions). 

Our contribution. In this paper, we address the question of determining how 
the binding property of the string commitment scheme used for implementing 
a QMC enforces its security. As already pointed out in [8,7], quantum bit com- 
mitment schemes satisfy different binding properties than classical ones. The 
difference becomes more obvious when string commitments are taken into ac- 
count. In Sect. 3.1, we generalize the computational binding criteria of [8] to the 
case where commitments are made to strings of size £ G 0(n) for n the security 
parameter, and £ some value depending on n. Intuitively, for a class of functions 
F C {/ : {0, 1}^ — >■ {0, 1}™}, with m < £ both depending on n, we say that a 
string commitment scheme is F-binding if for all f G F, for all commitment pre- 
pared by the sender, and for a random y Gr {0, 1}'", the commitment cannot be 
opened efficiently to any s G {0, 1}^ such that /(s) = y with success probability 
significantly better than 1/2’”. The smaller m is compared to £, the weaker is 
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the _F-binding criteria. We relate the security of QMC to a weak form of the 
i^-binding property. We assume that a QMC is made using a computationally 
binding and unconditionally concealing string commitment containing the bases 
0 G {+, x}” and the results b G {0, 1}” obtained by Alice after Bob’s trans- 
mission of \b)g. We then define the security of a QMC by the following game 
between Alice and Bob. Bob selects a challenge c Gr {0, 1}. 

If c = 0, Alice unveils all measurements and outcomes which Bob verifies 
(by testing that 9^ = 9i ^ bi = bi). If c = 1, Bob announces the transmission 
basis 9 G_r {-I-, x}" and Alice tries to maximize her bias on 6’s parity. Let Ps 
be Alice’s probability of success when c = 0 and let e be Alice’s expected bias 
when c = 1. First, notice that if Ps + 2e = 2 then the QMC is not accomplishing 
anything since Alice can always unveil perfectly (ps = 1) and bias the parity 
of b as she likes (e = 1/2). In this case it is impossible to build a secure OT 
from that QMC. However, as we will see in Section 3.2, an honest Alice can 
always achieve Ps -I- 2e = 1 and thus all adversaries such that Ps -I- 2e < 1 are 
considered trivial. Our main contribution describes how ps and e relate to the 
.7^)/-binding criteria of the string commitment for a class of functions with 
small range m G 0(polylog(n)). In Sect. 5, we give a black-box reduction of any 
good quantum adversary against QMC into one against the string commitent 
lF)/-binding criteria. We show that if Ps + 4e^ >1-1- S(n) for non-negligible 
6(n), then the string commitment is not .7^^-binding. In Sect. 6, we show that 
the converse condition e < ^1-1- 6{n) — Ps/2 (for negligible S(n)) is sufficient 
to build a secure 1-2 QOT. We construct a 1-2 QOT along the same lines than 
the CK protocol by invoking 0(n) times a QMC built from a lF)),-binding string 
commitment scheme. After making sure that Ps is sufficiently close to 1 for a 
large fraction of all QMC executions, we show how to obtain a correct and 
private (according the definition of [4] adapted the obvious way to deal with 
computational security against the receiver) 1-2 QOT. 

Our reduction shows that using computationally binding commitments one 
can enforce a computational or apparent collapse of quantum information. Using 
such a QMC allows to construct a 1-2 QOT that is unconditionally secure against 
Bob (i.e. the sender) and computationally secure against Alice (i.e. the receiver) 
provided the string commitment scheme used to construct the QMC is 
binding. As for the quantum version of the Goldreich-Levin theorem[l] and the 
computationally binding commitments of [8] and [7], our result clearly indicates 
that 2-party quantum cryptography in the computational setting can be based 
upon different if not weaker assumptions than its classical counterpart. 

2 Preliminaries 

Notations and Tools. In the following, poly(n) stands for any polynomial in n. 
We write A(n) < poly(n) for “A(n) is smaller than any polynomial provided n is 
sufficiently large” and A(n) < poly(n) (resp. A(n) > poly(n)) means that A(n) is 
upper bounded by some polynomial (resp. lower bounded by some polynomial). 
For w G {0, 1}”, X p w means that a;^ = 0 for all 1 < z < n such that Wi = 0 
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{x belongs to the support of w). We denote by the string concatenation 
operator. For w G {0, 1}”, we write [ic] = For w,z £ {0, 1}", we write 

|t(;| for the Hamming weight of w, A{w,z) = |w © z| for the Hamming distance, 
and w Q z = ■ Zi is the boolean inner product. Notation ||m|| denotes 

the Euclidean norm of u and denotes its complex conjugate transposed. The 
following well-known identity will be useful, 

(VyG{0,ir)[2/^0"^ ^ (_1)-0« = O]. (1) 

a:e{0,l}" 

Next lemma, for which a proof can be found in [5] , provides a generalization of 
the parallelogram identity: 

Lemma 1. Let A C {0, 1}" he a set of bitstrings. Let {fu,,z}u,,z be any family 
of vectors indexed by w £ {0, 1}" and z £ A that satisfies, 

(Vs,tG{0,ir,s^t)[^ ^ = (2) 

W 2ieA:m02j^=s 
Z2€.A\'W^Z2=t 

Then, 

E Eii^-.^ii'- (3) 

w zSA u;e{0,l}"ze^ 

Finally, for 9,b G {0,1}”, we define A^{6,h) = {{0,b) G {0,1}” x 
{0, l}”|(Vf,l < i < n)[9i = 9i ^ hi = bi]}. It is easy to verify that 
(9,b) = 3” and that (0 © r, 6 © /3) G A^ {9, b) iS f3 A t. 

Quantum Stuff. The basis { lO), ll)} denotes the computational or rectilinear 
or “+” basis for TL 2 - When the context requires, we write I6)_|_ to denote the 
bit b in the rectilinear basis. The diagonal basis, denoted “x”, is defined as 
{ I0)x, ll)x} where 10)^ = 10) + 11)) and 11)^ = 10) - 11)). States 

0), 11), I0)x and 11)^ are the four BB84 states. For any x G {0, 1}” and 9 G 
{+, X }”, the state \x)q is defined as ©”=1 the following, we write P+^o = 

Po = I0)(0l, P +,1 = Pi = ll)(ll, Px,o = I0)x(0l and Px,i = ll)x(H for the 
projections along the four BB84 states. We define measurements M+ = {Pq,Pi} 
and Mx = {Px,o,]Px,i} allowing to distinguish the BB84 encoded bit in the 
computational and diagonal basis respectively. For 9 £ {+, x}”, measurement 
Mg is the composition of measurements for 1 < i < n. In order to simplify 
the notation, we sometimes associate the rectilinear basis “+” with bit 0 and the 
diagonal basis with bit 1. We map sequences of rectilinear and diagonal bases 
into bitstrings the obvious way. 

We refer to [8,7] for a more complete description of how quantum protocols 
are modeled by quantum circuits. We denote hy ILQ an universal set of quantum 
gates. The complexity of a quantum circuit C is simply the number ||C||;./g of 
elementary gates in C. In the following, we use the two Pauli (unitary) trans- 
formations ax (bit flip) and az (conditional phase shift) defined for b £ {0, 1} 
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as, ax ■ 16) !->■ 11 — 6) and az ■ 16) (—1)'’ 16). Assuming [/ is a one qubit 

operation and s G {0,1}", we write C/®* = where Ui = I2 if = 0 

and Ui = U ii Si = 1. 6/®^ is therefore a conditional application of U on each 
of n registers depending upon the value of s. The maximally entangled state 
<?+) = 2“"/^ X)xG{o 1 }" ® useful in our reduction. This state can 

easily be constructed from scratch by a circuit of 0(n) elementary gates. 

3 Definitions 

3.1 Computationally Binding Quantum String Commitment 

In the following we shall always refer to A as the sender and B as the receiver of 
some commitment. Such a scheme can be specified by two families of protocols 
= {{C:^,C:^)}n>o, and = |(0;^,0®)}„>o where each pair defined A’s 
and B's circuits for the committing and the opening phase respectively. A Astring 
commitment allows to commit upon strings of length £ for n a security parameter. 
The committing stage generates the state li/'s) = 0 C^) Is)"^ 10)'® when A 

commits to s G {0, 1}^. The opening stage is executed from the shared state 
\ips) and produces \tp final) = 0 O®) \ips)- In [8], a natural security criteria 

for computationally binding but otherwise concealing quantum bit commitment 
schemes was introduced. In the following, we generalize this approach for string 
commitment schemes. 

^An adversary A = {{C^,O^)}n >0 for the binding condition is such that 
h/>) = {C^ 0 C®) 10 )^ 10 )® is generated during the committing stage. The dis- 
honest opening circuit tries to open s G (0, 1}* given as an extra input 

in state \s)^ . Given the final state IV’/ma/) = (O:^ O O^) \s)^ \ ip) we de- 
fine Ps{n) as the probability to open s G (0, 1}^ with success. More precisely, 
ps{n) = IIQf \ipfinai)W‘^ where Qf is B's projection operator on the subspace 
leading to accept the opening of s. The main difference between quantum and 
classical commitments is the impossibility in the quantum case to determine the 
committed string s after the committing phase of the protocol. Classically, this 
can be done by fixing the parties’ random tapes so s becomes uniquely deter- 
mined. In other words, a quantum adversary able to open any string s with 
probability p{s) is not necessarily able to compute simultaneously the openings 
of all or even a subset of all strings s. In particular, classical security proof 
techniques like rewinding have no quantum analogue [9, 18]. A committer (to a 
concealing commitment) can always commit upon any superposition of values 
for s that will remain such until the opening phase. A honest committer does 
not necessarily know a single string that can be unveiled with non-negligible 
probability of success. Suppose a quantum f-string commitment scheme has 
committing circuit and let Is)"^ IO)® . If the com- 

mitter starts with superposition y^pjjp) Is), for any probability distribution 
|(ps(n), s)|sg{o,i }'^5 then the state obtained after the committing phase would be: 
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VPs{n) = CnG)Cni( VPs{n) \s)^) (g) 10)^ . (4) 

S6{0,1}^ V se{0,l}'^ / 

Equation (4) is a valid commitment to a superposition of strings that will always 
allow the sender to unveil s with probability Ps{n). The honest strategy described 
in (4) achieves ^gPs{n) = 1. In [8], the binding condition is satisfied if no 
adversary can do significantly better than what is achievable by (4) in the special 
case £ = 1. More precisely, a bit commitment scheme is computationally binding 
if for all poly-time adversaries A: 

Po{n) -h pi(n) < 1 -h l/poly(n) (5) 

where Pb{n) is the probability for A to open bit b with success. Extending this 
definition to the case where £ G 0{n) must be done with care however. The ob- 
vious generalization of (5) to the requirement X)sg{o < l + l/poly(n.) is 

too strong whenever £ G 0{n). For example, if £ = n and Ps{n) = 2“"(1 -|- 

for all strings s G {0,1}" then M’s behavior is indistinguishable in polynomial 
time from what is achievable with the honest state (4) resulting from distribu- 
tion {(2“",s)}s. Any such attack that cannot be distinguished from the honest 
behavior should hardly be considered successful. On the other hand, defining 
a successful adversary A as one who can open s and s' (s M s') such that 
Ps{n) +Ps'{n) >1-1- l/p{n) is in general too weak when one tries to reduce the 
security of a protocol to the security of the string commitment used by that 
protocol (as we shall see for QMCs). Breaking a protocol could be reduced to 
breaking the string commitment scheme in a more subtle way. In general, the 
possibility to commit upon several strings in superposition can be used by the 
adversary to make his attack against the binding condition even more peculiar. 
Instead of trying to open a particular string s G (0, 1}^, an attacker could be 
interested in opening any s G {0, 1}^ such that f(s) = y for some function 
/ : (0, 1}^ — >■ (0, 1}’" with m < £. Henceforth, we call such an attack an /- 
attack. We shall see in the following that the security of QMC is guaranteed 
provided the string commitment does not allow the committer to mount such an 
/-attack for any f G F where F is a special class of functions. Such an adversary 
is defined by a family of interactive quantum circuits A^ = {{C^, O^)}n>o such 
that If/) = © C®) lO)"^ lO)^ is the state generated during the committing 

phase of the protocol and \'ip{y)) = {O^ O O^) \y)^ \ip) is the state (hope- 
fully) allowing to open s G {0, 1}^ such that /(s) = y. The probability to succeed 
during the opening stage is, 

Pi{n) = \\ E (6) 

s6{0,l}^:/(s)=y 

where Qf is B's projector operator leading to accept the opening of s G (0, 1}^. 
The following binding criteria takes into account such attacks: 
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Definition 1. Let F C {f : {0, 1}^ — >■ {0, 1}™} be a set of functions where 
m < i. A £-string commitment scheme is computationally i^-binding if for any 
f £ F and any adversary such that < poly{n), we have 

f>y{n) < 1 + l/poly{n) where p^y{n) is defined as in (6). (7) 

ye{o,i}™ 

Notice that all natural attacks can be expressed by an appropriate class of 
functions F . In general, the smaller m is with respect to i, the weaker is the 
-F-binding criteria. A class of functions of particular interest is built out of 
si(x, y) = X, S 2 (x, y) = y, and 53(0;, y) = x(By for all x,y G {0, 1}. Let be the 
set of subsets of {1, . . . , n} having size m. For I G let S']? = {s : {0, 1}^” — >■ 
{0,l}™|(3j G {1,2,5} ){yx,y G {0,l}”)[s(x,y) = ^heiSjA^h^yh)]}, we define: 

{0, If” ^ {0, iri(3/ G !”)[/ G S7]} . 

In other words, contains the set of functions / such that each of the m 
output bit of f{x, y) is a bit of either x or y or x (B y- Notice that no quantum 
string commitment has been formally shown F-binding for a non-trivial F. We 
believe however that the commitment of [7] can be turned into a F^-binding 
string commitment for small m but this analysis is beyond the scope of this 
paper. 

3.2 Commitment to Quantum Measurement 

Quantum Measurement Commitment (QMC) is a primitive allowing the receiver 
of random qubits to show the sender that they have been measured without dis- 
closing any further information (i.e. unconditionally) about the measurement 
and the outcome. As discussed in the Sect. 1, this primitive is the main ingredi- 
ent in order to provide security in 1-2 QOT against the receiver A. In this paper 
we restrict our attention to quantum transmission of random BB84 qubits. The 
measurements performed by the receiver are, for each transmission, indepen- 
dently chosen in {M+,Mx}. We model QMCs by the following game between 
the sender B and the receiver A'. 

1. B sends n random BB84 qubits in state 16)^ for b Gr {0,1}” and 9 Gr 

{+) x}”) 

2. A applies measurement for 6 Gr (-I-, x|” producing classical outcome 
bG {0,1}”, 

3. A uses a 2n-string commitment in order to commit to (9,b) toward B, 

4. B picks and announces a random challenge c G_r {0, 1}, 

~ If c = 0 then A opens (9,b) and B verifies that bi = bi for all i such that 
9i = 9i, otherwise B aborts, 

~ If c = 1 then B announces 9 and A tries to bias [6] . 
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A wants to maximize both her success probability when unveiling and the bias 
on [&] whenever 0 is announced. This is almost identical to the receiver’s situ- 
ation in the CK protocol [6]. Since we only consider unconditionally concealing 
string commitments, B gets information about ^’s measurements and results 
only if they are unveiled. As we shall see next, this flavor of commitments al- 
lows A to postpone her measurement until the unveiling stage. The commitment 
stage should nevertheless ensure B that A cannot use this ability for improving 
her situation compared to the case where she measures completely before com- 
mitting. In other words, although this flavor of commitment cannot force A to 
measure upon the committing stage, it should do as such through the actions of 
a computationally bounded A. 

We model the adversary A by a family of interactive quantum circuits 

-4 = where and are A’s circuits for the commit- 
ting and the opening phases. Circuit allows to extract the parity of b upon 

the announcement of basis 9. Circuit works upon A’s internal registers Ha 

together with the register Hchannei storing the BB84 qubits. We denote by 

= (8) 

the resulting state after the committing phase (step 3). This state should allow 
A to succeed both challenges with good probability. By linearity, we have that 
for all 9,b,x € {0, 1}”, 

= 2-^ ^ (_l)b0«!/ IV;, e., 6®,), (9) 

y:y<x 



where 9 (B x defines a new basis in which If/'e.b) is represented. The probability 
to open with success when 15), was sent, is 

P(min)= E = (10) 

(9,b)(^A^(9,b) 

for the projection operator applied upon B's registers and leading to a valid 

opening of (5,5) G {0,1}^”. The opening of (5,5) is accepted by B iff (5,5) G 
Aa{9A)- For simplicity, circuits can be included in the description 

of so the opening process can be seen as a single projection *^(61.6) “ 

'^{9 b)eA ^{9 b) ^^9 {,)■ Therefore, the expected probability of success p°^(n) is, 

p°‘<") = i) E H (11) 

be{o,i}" be{+,x}” 

When c = 1, A should be able, given the announcement of 5, to extract 
information about the parity [5]. The extractor E„ has access to an extra register 
He storing the basis 5 G {-I-, x}”. The extractor stores the guess for [5] in 
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register H(^. The bias £^,&(n) provided by the extractor when the qubits were 
initially in state 16)^ is 

\ + eo,b{n) = 1b) \9)^ 10)® (12) 

where P^j is applied upon the output register H(^. The expected value e{n) for 
the bias provided by E„ is simply, 

^ ^o,b{n)- (13) 

be{o,i}" 0 e{+,x}" 

We characterize Ji’s behavior against QMC by both p°^{n) and e{n). Indepen- 
dently of the string commitment scheme used, there always exists A* preparing 
a superposition of attacks that 1) succeeds with probability 1 during the opening 
and 2) provides [6] with certainty. Such an attack can be implemented as follows: 

= a{C^ © Cf ) I6)f + j3[C^ 0 C^) IQnyhauuel 

where |ap-|-|/3p = 1 and and are the honest circuits for committing. The 
state IV'Jfc) is a superposition of the honest behavior with probability |ap and 
the trivial attack consisting in not measuring the qubits received with probability 
|/3p. The expected probability of success p*{n) is 

P*(n) = |ap+|/3p(^)"«|ap (15) 

since with probability jap an honest QMC was executed and with probability 
|/3p a QMC to the fixed state 10”)^ was made. In the later case, the probability 
to pass B's test is (3/4)”. The expected bias satisfies 



e*{n) 



2 ^ 2 ^ 2 




(16) 



since with probability jap a QMC to Ib)^ is recovered (in which case a nonzero 
bias on [6] occurs only when 9 = 9) and with probability |/3p a QMC to a dummy 
value is made thus allowing to extract [6] perfectly. Such an attack does not 
enable the committer to break the binding property of the string commitment 
but nevertheless achieves: p*(n)-|-2£*(n) > 1. We define two flavors of adversaries 
against QMC. The first flavor captures any adversary that achieves anything 
better than the trivial adversary A* defined in (14). The second flavor captures 
stronger adversaries for which our reduction will be shown to produce attacks 
against the .7^^-binding property of the string commitment. 

Definition 2. An adversary A = {{C^ ,0:^ , En)}n>o against QMC is S{n)~ 
non-trivial if p°^{n) + 2e{n) >1-1- S{n), and i5(n)-good if p°^{n) + 4e(n)^ > 
1 -I- <5(n) for p°^{n) and e(n) defined as in (11) and (13) respectively. 

Notice that if A is not (5(n)-good (or (5(n)-non-trivial) then an upper bound on 
the expected bias e(n) can be obtained from a lower bound on p°^{n). This is 
how we use QMCs for implementing oblivious transfer in Sect. 6. 
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4 The Reduction 

Using a good adversary A against QMC, we would like to build an adversary 
against the ^^-binding property of the underlying string commitment. In this 
section, we provide the first step of the reduction given that ^’s parity extractor 
is perfect (i.e. it always returns the parity of the committed string). We construct 
a circuit built from A allowing to prepare a commitment into which any \'ip 9 ,b) 
can be inserted efficiently at the opening stage. In Sect. 5, we show how to use 
this circuit for attacking the binding property of the string commitment. 

4.1 The Switching Circuit 

LetA={{C^,OtEn)}u>o be an adversary in QMC. We call HKeep the register 
kept by A after the committing phase. We denote hy Hb the register containing 
what is sent by A and kept by B after the committing phase. Hq ~ "^ 2 " denotes 
the register containing the BB84 qubits before the commitment, Hq ~ 1^2" 
denotes the register for the basis given as input to the extractor, and ~ "^2 
denotes the register in which the guess on \b] is stored by the extractor. 

Instead of running (7„ = {C^ © C^) upon some BB84 qubits, we run it with 
the maximally entangled state 1 ^^) where the first half is stored in Hq and the 
second half stored in Hq. Therefore, the basis given as input to the extractor 
is not a classical state but is rather entangled with register Hq containing the 
qubits A is committed upon. After the execution of (7„ transformations 

and are applied to register Hq in order to prepare the input for the 
extractor where, B = ax oz and T = Raz- £-n is then run before az is applied 
upon the extractor’s output register H^. The transformation is completed by 
running the extractor in reverse. The resulting circuit, shown in Fig. 1, is called 
the switching circuit. Next, we see that whenever the parity extractor is perfect, 
the instance of the switching circuit using transformations i?®** and T®^ gener- 
ates Itpe^b)- To see this, we follow its evolution from the initial state We 



H(b 

He 

Hq 

Keep 

Hb 



1'0,b) 




Fig. 1. The Switching Circuit 
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first look at the state generated before the extractor is applied, 

\^t) = V^frls)ls) V — ^ Is) IV’+^.s) V 16© s) l'0+",s) 

, v2 ' ^ „ V2 ' ^ „ V2 



/ 0 hQt 0 sQt 

Y. 16 © S © t) IV>+",.) 



s.t : t~^9 



E 



t<6 

t)^b©s©t 



^n+\e\ 

© sQv © sQs 
-n+|b| + |b©s©t| 



VT 



6 © S © t) I ■0b©s©t,s©«) • 



(17) 

(18) 



The states up to (17) are obtained by definition of l<6+), (7„, and T®^ . 
Equation (18) follows after changing the basis from +" to 6 © s © t using (9). 
From (18), we follow the evolution through El^azEn, 



^_ 2 ^)b 0 t © sQv © vQv 
-n+| 0 | + |b®s©t| 



t®ob®’’c„ \<p+) V 

t^e \/2 
• i>^b®s©t 

^_ 2 ^)b© 6 > © bQx © bQy © vQy 



= E 



v(Bx®y~i0 \/2 

x,y^v : 

v^9^x 



n+\0\ + \e®x\ 



6 © S © t)® I'0h0s©t,s©«) (19) 

16 © x)^ \'4’0®x,b®y) ( 20 ) 



(^_]^^b©S © bQx © bQy ^ 

^ E ^n+\0\ + \0Qx\-2\0fxx\ 1 ^® 2 ;)® l' 0 e©a:.b®y) 
y^x V ^ 

0 bQx 0 bQy 

= E ^„+|a;| 16 © a;)® IV'e©a:,b©y) 



V<x 



V2 



(21) 



^ y • 2/^21 V ^ 



= — E— 16 © a;)® It/'e.b) = Ilf's, b)- 

^ v2 



(22) 



Notice that in addition to iJe, E„ acts upon another extra register 770 ignored 
in the above derivation. W.l.g one may assume it is included in the Hilbert space 
where l^/’s.b) belongs. Equation (19) follows from the fact that the extractor is 
perfect. Equation (20) follows after a reorganizing the terms of the sum. Equation 
(21) follows after using (1). We finally get (22) using (9). 

In conclusion, a perfect extractor allows to produce a commitment inside 
which any \' 4 > 0 ,b) can be put efficiently even when 6 and 6 are chosen after the 
end of the committing phase. 



5 Analysis 

We analyze the switching circuit when it is run with imperfect parity extractors. 
We first show how states { \'E 0 ,b)} 0 ,b, produced in this case, overlap with states 
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{ &)}«,& generated when perfect extractors are available. In Sect. 5.2, we rep- 

resent the behavior of the switching circuit by a table. In Sect. 5.3, we relate this 
table to attacks against the iF^-binding property of the string commitment. 

5.1 Generalization to Imperfect Extractors 

Assume the adversary A = {(C^, O^, En)}n>o has access to an imperfect ex- 
tractor. In this case, is modeled as follows: 

E„ 10}^ lipg^b) = 10)® ® ^7e,6 l[6])® Ivse.b) +7e,6 II © [6])® . (23) 

Without loss of generality, we may assume that both and are real positive 
numbers such that | 7 e,bp > | (i.e. arbitrary phases can be added to l(pg^b) and 
l(pff,b))- According (13), the expected bias provided by is, 

i(n)^4-'£J^e,Mn)=4-^EE ~ I • ( 24 ) 

0 b 0 b 

Compared to the case where the extractor is perfect, only the effect of transfor- 
mation El^azEn needs to be recomputed. From (23), we obtain, 

{ElazE^) 10) \^0,b) = (-1)'^' 10) © ( \^0,b) + ee,b) , (25) 

where the error vector eg^b satisfies 10) © eg^b = —‘^l 0 ,bE}^{ 10) H © [0])® l^^.b))- 
The final state \Eg^b), produced by the switching circuit, can be obtained easily 
from (19) using (25). We get that Wg^b) = Ej^a zE„T^^ B^^Cn satisfies: 

f \bQ0 ® bQx (B bQy 

\'^e,b) = ^ 

y^x 

Splitting the inner sum of (26) after distributing the tensor product gives, 

^^0m) = ^'l'0,b) + Fg^b- (27) 

The first part \Eg^b) = (2“”/^ ® ^4’0,b) is exactly what one gets 

when the switching circuit is run with a perfect extractor (see (22)). The second 
part is the error term for which next lemma gives a characterization. 

Lemma 2. Consider the switching circuit built from adversary A = 
{{C^,O^,E„)}n> 0 - Then, 

<2-4s(n). 

0 b 



0 © x) © ( \tp0®x,b(By) + ^0®x,b(By) ■ 
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Proof. Let 9 be fixed. Using the definition of we get 

^_-^'jbQ9(BbOx(BbQy 

V2"+'"' 



2- ^ = 2-^11^ 
6G{0,1}”' ^ yd:^ 



^ 0 x) 0 



(_^\bQ9^bQx 

= E II E L+I.I l« e x) (-l)®»e.*.,„,||= 



b X 



72 



y.y<x 






(28) 



X b y-yd^ 



where (28) is obtained from the orthogonality of all eg^x,b(By when x varies, 
and from Pythagoras theorem. We now apply Lemma 1 to (28) with A = {y G 
{0, l}"|y ^ x}, w = b,z = y, and v^j^z = ee<six,b<siy We first verify that the 
condition expressed in (2) is satisfied: 



X] X/ X/ e^®a:,b®y2) — 

b yieA-.b®yi=s y2GA:b®y2=t 

{^0(Bx,s,es^x,t) ^ = 0, 

b: 

b^s^x ,b^t^x 

from an identity equivalent to (1) since b runs aver all substrings in the support 
of s © t ^ X. We therefore apply the conclusion of Lemma 1 to get that for all 
XG{0,1}", 

Ell E (-0®"‘^^®-.'>®*/ii'= E EiI‘^^®-.'>®*/II'^2"+N(2-4£»). 

b y'yd^ y'yd^ b 

(29) 



The result follows after replacing (29) in (28). □ 

Using Lemma 2, we show how the the output of the switching circuit with 
imperfect extractors approaches the one with perfect extractors. Next lemma 
gives an upper bound on the expected overlap between the states produced 
using perfect and imperfect extractors. 

Lemma 3. Let A = {{0:^,0^, En)}n>o be the cireuits for the adversary such 
that the extractor En has expected bias e{n). Then, the set of states { 
produced by the switching circuit satisfies, 

Sa = > 2s{n). 

b,9 



Proof According (27), we can write l#e,b) = \1'e,b) + = (1 - <X9,b) \1'9,b) + 

139, b where 1 = || \Te^f)\\^ = |(1 - ae.b)P + l/^e.bP and = 0. 

Isolating \ag^b\ and using the fact that |ae,bP + |/3e,&P = gives \ag^b\ = 

which, after invoking Lemma 2, leads to b4“”|(<^6(_6l'f'e,b)| > 

E,,,4-"(l - M) = 1 - > 2e(n). 



□ 
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Lemma 3 tells us that with good extractors, one can generate states having 
large overlap (in the expected sense) with all QMCs to different BB84 qubits 
which states are chosen at the beginning of the opening stage (i.e. after the end 
of the committing phase). It remains to show how to use this ability to break 
the binding property. This second and last step of our reduction is addressed in 
next section. 

5.2 Representing the Switching Circuit by a Table 

In this section, we look at how to invoke the switching circuit in order to attack 
the binding property of the string commitment. Remember first that \' 4 ’ 9 ,b) 
has probability P °0 h^{n) = IV’e,b)|P to open a valid QMC to \b)ff where 

Q*g is defined as in (10). Remember that a valid opening of lb)g consists in 

the opening of any 2n-bit string (0,b) G A^{6,b). We take advantage of the 
structure of A^{9,b) in order to exhibit attacks against the binding condition. 

Suppose first that adversary A has access to a perfect parity extractor if„. 
From Sect. 4.1, such an adversary can generate If/'e.b) for any choice of 0 € 
{+, X }" and b G {0, 1}". Each of 4" sets of valid announcements A^{9,b) is of 
size ^A^{9, 6) = 3". We define a table of positive real numbers having 4” rows 
and 3" columns where each row is labeled by a pair (0, b). The row (9, b) contains 
values Tg^b{T,/3) = for all (r,/3) such that (6< © r, 6 © /3) G 

A^(9, b). This condition is equivalent to (r,j3) such that (3 At. The table values 
for the case n = 1 are shown in Fig. 2. The sum of each row is added to the 
right. The construction is easily generalized for arbitrary n in which case, each 




l^+,o)f 


IIQfx.o) 


IV>+,o)f 


IIQfx,i) 


l^+,o)|| 




IIQ(x,i) 


iV>+,i)f 


IIQ(x,o) 


l^+,l)ll 


■*/’x,o)||^ 


IIQ©,o) 


V’x,o)|P 


IIQf+.i) 


V’x,o)|| 


l^x,l)f 


IIQ(+,i) 


IV>x,l)f 


Q(+,o) 


IV’x,l)|| 



P(+, 0 )(^) ~ llQ(+, 0 ) l'*/’+,o)|| 

pS,i)(n) = |lQ(+,i) 

P(x.o)(«) = IIQ(x,o) IV>x,o)f 
P(x.l)(«) = IIQ(x,l) IV>x,i)f 



Fig. 2. The table for the case n = 1 and perfect extractor. 



column contains 4" orthogonal projectors applied to the 4” states { \' 4 ’ 9 ,b)}e,b- 
The sum of all values in the table is simply 4”p°^(n) = 

The table is defined similarly for imperfect parity extractors. In this case, 
table Tj^ = {Te^f,(r, /3)}e,b,r,/3Xr associated with adversary A contains elements, 

T9Ar,P) = \nf9rn,bm^^^^bW- ( 30 ) 

While for perfect extractors the sum over all elements in the table is at least 
4”p°^(n), next theorem shows that any table built from a 5(n)-good adver- 
sary adds up to 4"poly(i5(n)). The proof follows easily from Lemma 3 and can 
be found in [5]. 
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Theorem 1 . If A= En)}n>o is a 5{n)-good adversary against QMC 

and = {Te, 6 ('r, / 3 )}e, 6 ,T,/ 3 ^r is its associated table, then 



d-,b,T /3 -^t 



4”5(n)3 

32 



(31) 



Theorem 1 establishes the existence of one column in providing a weak 



4"(5(n)'’ 

32 



has 



attack since any table with 3" columns all summing up to more than 

one column exceeding (|)"^^^ l+l/poly(n). Let (r, (3) be such a column and 
consider the class of functions containing only the identity l 2 n- For {y,y') G 
{0, 1}^", the state can be generated using the switching circuit. 

The probability to unveil {y,y') is Ty(^r,y'®i3iT, (3) = \^y(Br,y'®g)W^ ■ By 

construction, we have = Y.{y,y')Ty®r,y'® 0 {'r, P) > l+l/poly(n) 

which provides an attack against the string commitment’s l2n-binding property 
in accordance with (7). As we pointed out in Sect. 3.1 however, this attack 
might not even be statistically distinguishable from the trivial adversary. This 
implies that proving a string commitment computationally l2n~binding would 
be impossible. In the next section, we find stronger attacks allowing to relax the 
binding property required for secure QMC. 



5.3 Strong Attacks against the String Commitment 

We now show that the table T^, built out of any <5(n)-good adversary A, contains 
an attack against the .7^^-binding property of the 2n-string commitment with 
m G 0(polylog(n)) whenever S{n) > l/poly(n). We show this using a counting 
argument. We cover uniformly the table with all attacks in tFff. Theorem 1 
is then invoked in order to conclude that for some / G .7^^, condition (7) does 
not hold. 

Attacking the binding condition according to a function / G is done by 
grouping columns in as described in (6) and discussed in more details in [5]. 
The number of lines involved in such an attack is clearly 2™ while the number 
of columns can be shown to be 2’”3"“'" (for information see [5] and Lemma 4 
below). This means that any attack in covers t = elements in T^. 

The quality of such an attack is characterized by the sum of all elements in the 
sub-array defined by the attack since this sum corresponds to the value of (7). 
Let tj^ = 3"4" be the total number of elements in and let be its sum. The 
following lemma, proved in [5], shows that all attacks in tFff cover uniformly: 



Lemma 4. All f -attacks with / G IFff cover uniformly, that is, each element 
in belongs to exactly a = C'(m,n)4’” attacks each of size t = 3 "-"* 4™. 

Let s* be the maximum of (7) for all /-attacks with / G .F^. Clearly, a ■ s* > 
ELIA since by Lemma 4, the covering of by / G IF^ is uniform and a ■ t/t^ 
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is the number of times is generated by attacks in In other words, 



* \ 
a - s > 



t A 



^ > tiA = 



(32) 



Assuming that A is i5(n)-good, Theorem 1 tells us that ^ so (32) 

implies that, 



s* - "^32^ 3m ^ 1 + Vpoly(n), (33) 

for any m > |"log| Equation (33) guarantees that for at least one 

/ G condition (7) is not satisfied thereby providing an attack against 

the J^^-binding criteria. Moreover, since S{n) > l/poly(n) it is sufficient that 
m G 0(polylog(n)). It follows that at least one /-attack in is statistically 
distinguishable from any trivial one. 



6 The Main Result and Its Application 

Putting together Theorem 1 and (33) leads to our main result: 

Theorem 2 (Main). Any 5{n)-good adversary A against QMC can break 
the Tt^-hinding property of the string commitment it is built upon for m G 
0(log 5^) using a circuit of size 0(||A||i./g). 

Theorem 2 can be applied for the construction of 1-2 QOT in the computational 
setting. We can use QMCs for building a weak 1-2 QOT such that: 

— the sender has no information about the receiver’s selection bit and, 

— the receiver, according Theorem 2, can only extract a limited amount of 
information about both bits. 

This weak flavor of 1-2 QOT is easily obtained by the following primitive, called 
W„, accepting B's input bits (/3o, (3i) and M’s selection bit s (i.e this construction 
is very similar to the CK protocol [6]): 

Protocol W„ 

1. B and A run the committing phase of a QMC (i.e. built from a y^/,-binding string 
commitment scheme) upon \b)g for b €r {0, l}",6 £r {-b, x}'* picked by B, 

2 . B chooses c Gh {0, 1} and announces it to A, 

— if c = 0 then A unveils the QMC, if unveil succeeds then A and B return 
to 1 otherwise B ABORTS, 

— if c = 1 then B announces 6, A announces a partition Io,h ^ {I,-- - ,n} 
such that for all i G Is the measurements were made in basis 9i — 9i, then B 
announces oo,ai G {0, 1} s.t. do = oo ©ie/o and di = ©ie/ifeu 

• A does her best to guess ( 60 , b\) « (0igj|^ h, 0 ie/i ^ 0 - 
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Clearly, W„ is a correct 1-2 QOT since an honest receiver A can always get bit 
/3s = bs (B ttg. -4’s information about the other bit can be further reduced using 
the following simple protocol accepting B’s input bits (/3o,/3i) and the selection 
bit s for the honest receiver: 

Protocol R-Reduce(t, W„) 

1. W is executed t times, with random inputs (Poi, Pu),i = l..t for the sender and 
input s for the receiver such that /3qi © ... © Pot = Po and /In © ... © Pit = Pi- 

2. The receiver computes the XOR of all bits received, that is Ps = (Bi=iPsi- 

Classically, it is straightforward to see that the receiver’s information about one- 
out-of-two bit decreases exponentially in t. We say that a quantum adversary A 
against R-Reduce(t, W„) is promising if it runs in poly-time and the probability 
to complete the execution is non-negligible. Using Theorem 2, it is not difficult 
to show that ^’s information about one of the transmitted bits also decreases 
exponentially in t whenever A is promising: 

Theorem 3. For any promising receiver A in R-Reduce(t, W„) and for all exe- 
cutions, there exists s G {0, 1} such that A’s expected bias on Ps is negligible in 
t (even given Ps). 

A sketch of proof can be found in [5] . It relies upon the fact that any promising 
adversary must run almost all W„ with p°^{n) > 1 — <5 for any 5 > 0. Using 
Theorem 2, this means that independently for each of those executions 1 < 
i < t, one bit Psi out of {Poi,Pu) cannot be guessed with bias better than 
Smax(d) << In this case, the bias on Ps can be shown to be negligible in t. 

Clearly, the sender B in R-Reduce(t, W„) cannot get any non-negligible 
amount of information about A’s selection bit when the commitments are sta- 
tistically concealing. This remark together with Theorem 3 and the correctness 
of R-Reduce(t,>V„) lead to: 

Corollary 1. A correct and private 1-2 QOT can he based upon any T/f -binding 
and statistically concealing quantum string commitment scheme. The resulting 
1-2 QOT statistically hides the selection hit and computationally hides one out 
of two transmitted hits. 

In other words, building 1-2 QOT upon Theorem 2 allows for an easy security 
proof in the computational setting. Our analysis assumes for simplicity that A 
and B have access to a perfect quantum channel. Nevertheless, noise may be 
tolerated if we construct 1-2 QOT along the lines of BBCS [3] instead of CK [6]. 

7 Open Questions 

An obvious open problem is how to build A"^-string commitments from computa- 
tionally binding bit commitment schemes. In particular, how one can transform 
the computationally binding bit commitments of [8] and [7] into A"^-binding 
string commitments? This would show that QMCs and therefore 1-2 QOT can 
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be based upon any one-way permutation [8] and/or any one-way function[7]. It 
is an open question whether or not Theorem 2 holds for 5(n)-non-trivial ad- 
versaries against QMC. Such an extension would show that our reduction from 
an adversary to QMC into one against the binding condition is to some extent 
optimal. It is also of interest to find attacks against weaker binding properties. 

Finally, it would be very interesting to formally prove the security of the 
CK protocol using Theorem 2. This would result in a proof of security that, in 
addition to apply in the computational setting, would be based upon a com- 
pletely different approach than Yao’s proof [20]. Moreover, the CK protocol is 
more practical than our construction since it only requires a constant number 
of rounds with fewer qubits transmitted (i.e. 0(n) vs. 0{tn)). It would also be 
useful to prove Corollary 1 in the case where the quantum channel is noisy. 
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Implementing Oblivious Transfer 
Using Collection of Dense Trapdoor 
Permutations 
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Abstract. Until recently, the existence of collection of trapdoor per- 
mutations (TDP) was believed (and claimed) to imply almost all of the 
major cryptographic primitives, including public- key encryption (PKE), 
oblivious transfer (OT), and non-interactive zero-knowledge (NIZK). It 
was recently realized, however, that the commonly accepted general def- 
inition of TDP needs to be strengthened slightly in order to make the 
security proofs of TDP-based OT go through. We present an implemen- 
tation of oblivious transfer based on collection of dense trapdoor per- 
mutations. The latter is a collection of trapdoor permutations, with the 
property that the permutation domains are polynomially dense in the 
set of all strings of a particular length. Previous TDP-based implemen- 
tations of oblivious transfer assumed an enhancement of the hardness 
assumption (of the collection). 



1 Introduction 

1.1 Oblivious Transfer (OT) 

Oblivious transfer (OT), originally defined by Rabin [15], is a fundamental prim- 
itive in cryptography. OT has several equivalent formulations 
[15,7,3,5,2,4]. The version we studied, defined by Even, Goldreich and Lempel 
[7], is that of one-out-of-two OT. Informally, a (one-out-of-two) OT is a two- 
party protocol, in which one party (the sender) holds two secrets (ctq and a\) 
and the other party (the receiver) holds a secret bit i. If both parties follow the 
protocol, the receiver learns Ui. In addition, even a cheating receiver (i.e., 
one that arbitrarily deviates from the protocol) cannot learn more then a single 
value in {ao,ai} and even a cheating sender does not learn anything about i 
during the run of the protocol. 

OT implies key agreement (KA) [15,1], signing contracts [7], and in general 
any secure multi-party evaluation [17,14,10]. 



1.2 Collection of Trapdoor Permutations (TDP) 

A “collection of trapdoor permutations” (TDP) is among the strongest crypto- 
graphic primitives. TDP is a special case of collection of one-way permutations 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 394-409, 2004. 
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(OWP). Informally, a collection of permutations is one-way if a permutation cho- 
sen from this collection is easy to compute on any input, but hard to invert on 
the average. Any collection of OWP provides two additional efficient algorithms: 
The permutation sampler algorithm that samples a random permutation in the 
collection and the domain sampler algorithm that generates a random element 
in the domain of a given permutation. We stress that the permutation domains 
might be arbitrary, as long as there is an efficient domain sampler that generates 
a random element in them. Such a collection is called TDP, if in addition the 
permutation sampler algorithm produces a trapdoor information that allows its 
holder to invert the permutation, (see Subsection 3.4 for details). 

1.3 Does TDP Implies OT? 

Until recently, the existence of TDP was believed (and claimed) to imply OT. It 
was recently realized, however, that the commonly accepted general definition 
of TDP needs to be strengthened slightly in order to make the security proofs 
of TDP-based OT go through. This is due to the fact that in the standard 
TDP-based OT protocol, proposed by [7], the (honest-but-curious) receiver 
is expected to sample an element from the permutation domain such that the 
inverse of this element remains secret from its own point of view. The basic TDP 
security requirement guarantees secrecy against an external observer (who only 
observes the sampled element), however, the randomness used by the sampler 
could potentially be useful for efficient inversion. In fact, an arbitrary sampler 
could be used to construct a bad one, which first generates a domain element 
and then applies the permutation to produce the output. 

To enable the stronger security feature required by the OT, Goldreich [12] 
defines a stronger primitive called “enhanced TDP” . Specifically, an element pro- 
duced by the domain sampler of an enhanced TDP should be hard to invert even 
when given the randomness used to produce it (see Subsection 3.5 for details). 
It should be noted that this distinction is quite hypothetical, as essentially all 
of the (very few) known TDP candidates can satisfy the stronger notion under 
the same assumptions. 



1.4 Our Result 

We show that OT can be based on any dense-TDP, where the latter is a TDP 
whose permutation domains are polynomially dense, i.e., contain polynomial 
fractions of the strings of length k (see Subsection 3.6 for details). We note that 
density assumption is made in other known constructions, such as the construc- 
tion of non-interactive zero-knowledge proof of knowledge (NIZKPK) based on 
dense public-key crypto system [16]. 



1.5 Our Construction - Main Ideas 

Our implementation follows the general ideas of the EGL protocol mentioned 
above. Recall that the EGL protocol is based on enhanced TDP (rather than a 
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standard TDP) because the (honest-but-curious) receiver is expected to sample 
an element from the permutation domain such that the inverse of this element 
remains secret from its own point of view. In our construction, the receiver does 
not use the sampler, but rather chooses a random element in {0, 1}" and checks 
whether or not the element is in the permutation domain. The main difficulty 
in our construction is the fact that it is not guaranteed that one can efficiently 
do the check above (i.e., check whether a given element is in the permutation 
domain) . In order to overcome this difficulty, we extend a given dense-TDP into 
a dense-TDP with the extra property that there is an efficient algorithm that 
given the permutation trapdoor checks whether a given element in {0, 1}" is 
inside the permutation domain. (We note that by doing this extension we are 
penalized, since the extended collection is not guaranteed to be dense-TDP but 
merely dense-weak-TDP , i.e., the collection’s permutations are only guaranteed 
to be weak-one- way permutations) . Then we use the latter TDP to implement a 
very weak form of OT, where we cannot assure that all the required properties of 
OT hold, but we can guarantee that they hold with a non-negligible probability. 
The above construction main idea is that the sender helps the receiver to 
check whether a given element is in the permutation domain. The final step of 
our construction is amplifying the above “weak OT” into a standard one. We 
note that even though amplifications of information theoretic weak forms of OT 
are quite common (e.g., [3,6]), amplifications of computational knowledge weak 
forms of OT, such as our amplification, are rare (in fact we encountered none) 
and are rather more complicated. Therefore, the amplification part of this paper 
may have a stand-alone value. 

1.6 The Organization of the Rest of the Paper 

In Section 2, we give a high level overview of our implementation. Section 3 is 
where we give the exact definitions of the tools and terms we use in this paper. 
In Section 4 we give the full implementation of a weak form OT based on dense- 
TDP and in Section 5 we show how to amplify such a “weak-OT” into a standard 
one. 

2 Overview of Our OT 

We present a polynomial time implementation of OT based on the existence of 
dense-TDP. Our implementation follows the general ideas of the following OT 
protocol, suggested by [7]. 

2.1 The EGL OT Protocol 

Let (I,D,F) be a TDP, where I is the permutation sampler algorithm, D is 
the domain sampler algorithm and F and F~^ are the evaluation and inverting 
algorithms respectively (see Subsection 3.4 for details). Recall that the protocol’s 
inputs are: the sender’s secrets, (Tq and cti, the receiver’s index, i and the 
security-parameter, n, given in unary. 
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1. The sender uniformly selects a permutation description, a, along with its 
trapdoor, t, by letting (a,t) t— /(!"). 

The sender sends a to the receiver. 

2. The receiver uniformly selects two elements, rg and ri, in Da, as follows: 
ri_i is selected directly in Da, using the sampler, D. In order to select ri, 
the receiver selects a third element, s, in Da (using the sampler) and then 
sets Ti to fa{s)- 

Hence, the receiver knows the pre-image of (i.e., s), but does not know 
the pre-image of ri_i. Note that since fa is a permutation, both rg and ri 
have the same distribution and thus, knowing them gives no information 
about i. 

The receiver sends (rg,ri) to the sender. 

3. For both j = 0, 1, the sender computes cj = oj © b{f~^{rj)), where 6 is a 
hardcore predicate for fa- 

The sender sends (cg,ci) to the receiver. 

4. The receiver locally outputs Ci©6(s) (and as Ci(Bb{s) = Ci©6(/“^(ri)) = at, 
it outputs CTi). 

Note that as the receiver does not know the value of f~^{ri-i), it received 
no knowledge about ai-i. 

The security of the above protocol relies on the fact that the receiver does 
not know the pre-image of ri_j, even though the receiver knows the random 
coins used by the sampler to select ri_i. Therefore, the above protocol requires 
that the TDP be an enhanced one. 



2.2 Towards the Protocol 

We call a given TDP ”checkable-domains-TDP”, if there is an efficient algorithm 
that checks whether a given element in {0, 1}” is inside the permutation domain 
(clearly, a given TDP might not have this property). We start by showing how 
to implement an OT based on checkable-domains-dense-TDP, and then step-by- 
step, show how to implement an OT based on a standard dense-TDP. 



An OT Based on Checkable-Domains-Dense-TDP. The protocol follows 
the same lines as the EGL protocol (described in Subsection 2.1), except for 
Step 2 that has the following form: 

2. The receiver selects s,ri and ri_j as follows: 

a. s and ri_i are chosen uniformly in {0, 1}". 

b. The receiver checks whether both s and ri-i are in Da- If the answer is 
negative, the receiver restarts the protocol (the two parties go back to the 
first step of the protocol). 

c. Ti is set to fa{s)- 
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It is easy to see that the above construction is indeed an implementation of 
OT We stress that since the receiver did not use the collection sampler to 
choose ri-i, the above is still true even if the collection is not enhanced. 

Our next step is to implement a dense-TDP based OT with a weaker property 
than the checkable-domains one. We call a given TDP a ” t-checkable-domains- 
TDP”, if there is an efficient algorithm that given the permutation trapdoor 
checks whether a given element in {0, 1}” is inside the permutation domain. We 
do not construct an OT based on t-checkable-domains-dense-TDP directly, but 
rather construct some weak form of OT. We shall later show how this weak form 
of OT can be amplified into a standard OT. 



2.3 A Weak OT Based on T-Checkable-Domains-Dense-TDP 

The first idea is to try and use a similar protocol to Protocol 2.2, where in 
order to decide whether or not s and ri_i are in D^, the receiver sends both 
elements to the sender in random order, and the sender (using the trapdoor) 
does the check and returns the answer to the receiver. If the sender’s answer is 
positive, then the receiver sends fa{s) and ri_j to the sender and the protocol 
proceeds as in Protocol 2.2, otherwise the receiver restarts the protocol. It is 
easy to see, however, that this protocol leaks the value of i to the sender (as 
the sender gets both s and f{s))). 

A better idea is for the receiver to send the sender /a(s) ^ and ri_i (instead 
of s and ri_j) in random order and the sender answers whether both elements 
are in Da- Only if the sender’s answer is positive, the receiver reveals the 
right order of /q(s) and ri_i, and the protocol proceeds as in Protocol 2.2. At 
first glance it seems as thought we have a solution; unfortunately this is not 
the case, as it turns out that not only information about i might leak, but also 
the receiver might miscalculate the value of ai. The problem is that even if 
fa{s) is in Da, we are not guaranteed that s is. The reason is that /, when 
extended to {0, 1}", is not necessarily a permutation and therefore s might be 
outside Da even if /q(s) is in Da- Therefore the receiver might miscalculate 
the value of ai. Moreover, as / is not a permutation on {0, 1}”, fa{s) and 
might have a different distribution and hence, by revealing them to the sender, 
some information about i might leak. 

Fortunately, there is a way to overcome the problems above, or more ac- 
curately to ensure that the constructed protocol is some weak form of OT. 
(By a weak form of OT, we mean that even though we cannot assure that 
all the required properties of OT hold, we can guarantee that they hold with 
non-negligible probability) . The solution is that in addition to checking whether 
both elements (i.e., /a(s) and ri_i) are in Da, the sender sends to the receiver 

^ There is a subtle point regarding the rnnning time of the above protocol, which is 
not even gnaranteed to stop. Due to the density property of the collection, however, 
this issue can be easily solved. 

^ By fa{x), where x is not guaranteed to be in Da, we mean the result of invoking 
the collection evaluating algorithm, F, with inputs a and x. 
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some random information ^ about the pre-images (with respect to fa) of the two 
elements. The receiver checks whether the information it received about the 
pre-image of /a(s) is consistent with s. If the answer is negative (or if one of 
the elements is not in Da) it restarts the protocol. By keeping the amount of 
information the sender sends about pre-images small we guarantee that only 
small amount of information about the pre-image of r\-i (and therefore about 
ai-i) has leaked to the receiver. On the other hand, even though the amount 
of information is limited, we can guarantee with sufficiently high probability 
(which depends on the amount of information sent and the density of the col- 
lection) that the chosen s is indeed the pre-image of rt. Hence, the protocol is 
a weak form of OT where all the required properties hold with sufficiently high 
probability 

We are now ready to construct a “very” weak form of OT (even weaker than 
the above) based on dense-TDP without any other assumptions. 



2.4 A ’’Very” Weak OT Based on Any Dense-TDP 

The main idea is that any dense-TDP can be extended into a t-checkable- 
domains-dense-TDP. (We note that by doing this extension we are penalized, 
since the extended collection is not guaranteed to be dense-TDP but merely 
dense-weak-TDP , i.e., the collection’s permutations are only guaranteed to 
be weak-one- way permutations). The construction of the extended collection 
is as follows. For each permutation fa with domain Da of the original collec- 
tion, the extended collection has the permutation with domain D'^. Where 
Da Q D'^ = [x G {0, 1}" |/a(a, ifa^ix)) = x} and ff is defined to be the nat- 
ural extension of fa to D'^, that is f'a(x) F{a,x). 

By the density property of the collection we have that for any given permu- 
tation a, is not negligible, therefore the extended collection’s permutations 
are weak-one-way permutations. Hence, the extended collection is a dense-weak- 
TDP. Moreover, given an element x in {0, 1}” and a permutation trapdoor, one 
can easily check whether x is in the permutation domain by checking whether 

fa{ot,{f-^{x)) = X. 

By using Protocol 2.3 with the above dense-weak-TDP as the underlying col- 
lection, we construct some weak form of OT. This form of OT is even weaker than 
the one achieved by Protocol 2.3 as the collection’s permutations are only weak 
one-way and hence, some information about might leak to the receiver 
through the run of the protocol. Nevertheless, this weaker form can still be am- 
plified into a standard OT. 



^ In our implementation the random information is the output of applying a randomly 
chosen pairwise independent hash function on the pre-images. 

By small amonnt of information we mean polylog{n) bits of information, where n is 
the security-parameter of the protocol. 

® Actually the secrecy of the other secret (i.e., ai-i) is guaranteed with probability 1. 
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2.5 The Amplification Step 

The amplification of the above ’’very” weak OT into a standard OT, is done 
in three consecutive steps. In each step we amplify a different property of the 
protocol. Hence, after the third step we have a standard OT. 

3 Definitions 

3.1 The Semi-honest Model 

Loosely speaking, a semi-honest party is one that follows the protocol properly 
with the exception that it keeps a record of all its intermediate computations. In 
the semi-honest model all parties are assumed to be semi-honest. As far as the 
implementation of cryptographic protocol is concerned, one can limit oneself to 
the semi-honest model. The reason is that in [10] it is shown that semi-honest 
model protocols can be extended to the general (malicious) model, in which 
nothing is assumed regarding the parties. (For details see [12]). 

3.2 Oblivious Transfer (OT) 

A (one-out-of-two) OT is a two-party protocol, it has three inputs: the sender’s 
secrets, uq and cti, and the receiver’s index, i in {0, 1}. In addition, the protocol 
receives, as an input, its security-parameter, n, given in unary The OT has 
the following properties: 

1. Correctness - The receiver almost always learns Gi. That is, the receiver 
learns Oi with probability at least 1 — neg{n) {neg{n) stands for negligible 
function of n), where the probability is over both parties’ internal coin tosses. 

2. Sender’s privacy - The receiver gains no computational knowledge about 
G\-i. More formally, let V IEWii{Gi,Gi-i,i) be the random variable defined 
from the receiver’s view of the protocol where Gi and G\-i are the sender’s 
input and i is the receiver’s input Then for any polynomial time algo- 
rithm M, for any choices of Gi,i and large enough n, 

\Pr[M{VIEWR{G„ l,z)) = 1] - Pr[M{VIEWR{G„0,t)) = 1]| < neg{n) 

where the probability is over both parties’ internal coin tosses. 

3. Receiver’s privacy- The sender gains no computational knowledge about 
i. 

In this paper we focus in on implementing OT in the semi-honest model (see 
Subsection 3.1 for details), which by [10] yields an implementation in the general 
(malicious) model. Furthermore, we limit ourselves to OT whose secrets are one 
bit long. Implementing this limited version suffices, as by successive use of one 
bit protocol we construct the non-limited version. 

® We usually omit the security-parameter from the protocol’s input parameters list. 

^ The above notation is somewhat misused, as the order of the parameters depends 
on their values. Nevertheless, the underlying notation is clear, and it is done for the 
sake of simplicity. 
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3.3 (ei,e2»e3 ) — WOT 

(ei5 £2, €3) — WOT is a two-party protocol that serves as an intermediate step in 
our implementation of OT. (ei, £2, £3)— VhOT is a relaxed version of OT. Whereas 
in OT it is required that no knowledge except for the required secret may leak 
from one party to the other, in {ei, 62,63) — WOT some amount of knowledge 
might leak (£2 is the amount of knowledge that might leak from the sender 
to the receiver and £3 is the amount of knowledge that might leak from the 
receiver to the sender). Furthermore, even the value of the required secret is 
not guaranteed to pass correctly (it is only guaranteed to pass with probability 
1 — £1). Thus the e’s measure the weaknesses of the protocol and the smaller 
they are the better the protocol is. Let us turn to the formal definition. 

£2,^3) — WOT is a two-party protocol, it has three inputs: the sender’s 
secrets, (Tq and cti in {0, 1}, and the receiver’s index, i in {0, 1}. In addition, 
the protocol receives, as an input, its security-parameter, n, given in unary, 
(ei, ^2, 63) — WOT has the following properties: 

1. Correctness - The receiver learns ai with probability at least 1 — £1, where 
the probability is over both parties’ internal coin tosses. 

2. Sender’s privacy - The receiver does not gain more computational 
knowledge about ai-i than £2. More formally, let VIEWf{{ai, ai-i,i) be 
the random variable defined from the receiver’s view of the protocol where 
CTi and ai-i are the sender’s input and i is the receiver’s input. Then for 
any polynomial time algorithm M, for any choices of ai,i and large enough 
n, 

\Pr[M{VIEWR{a,,l,i)) = 1] - Pr[M{VIEWR{a,, 0 ,i)) = 1]| < £2 

where the probability is over both parties’ internal coin tosses. 

3. Receiver’s privacy - The sender does not gain more information about 
i than £3. More formally, let VIEWs{(Ti,ai-i,i) be the random variable 
defined from the sender’s view of the protocol where ai and ai-i are the 
sender’s input and i is the receiver’s input. Then for any choices of ai and 
ai-i and large enough n, 

stat{VIEWs{ai, l),VIEWs{ai, ai-i, 0)) < £3 

Note that in the above definition, the third parameter (Receiver’s privacy) 
measures information rather than computational knowledge. This strengthening 
simplifies our construction, as information theoretic reductions are much simpler 
than computational knowledge reductions. 

3.4 Collection of Trapdoor Permutations (TDP) 

Collection of trapdoor permutations (uniform complexity version) [11]: Let I C 
{0, 1}* and /„ / n {0, 1}”. A collection of permutations with indices in / is a 

set {fi : Di — >• Di}-^j such that each fi is one-to-one on the corresponding Di. 
Such a collection is called a trapdoor permutation is there exist four probabilistic 
polynomial-time algorithms I, D, P, F~^ such that the following five conditions 
hold: 
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1. Pr[/(1") G /„ X {0, 1}*] > 1 - 2-”. 

That is, / is used to generate a random permutation along with its trapdoor. 

2. Selection in domain, for every n G N and t G /„ 

a) Pr[D{i) G Di] > 1-2-”. 

b) Conditioned on D{i) G Di, the output is uniformly distributed in Di. 

Thus A C {0, 1}’”. Actually, A C {0, 

That is, given a permutation, D is used to generate a random element in the 
permutation domain. 

3. Efficient evaluation, for every n G N,i G A and x G Di, Pr[F{i,x) = 
Mx)] >1-2-". 

That is, given a permutation, F is used to evaluate the permutation on any 
element in its domain. 

4. Hard to invert, let /„ be the random variable describing the distribution 

of the first element in the output of 1(1”) and P(/„), thus, for 

any polynomial time algorithm M, every polynomial p, and large enough 
n, Pr[M(A, A(A„)) = A„] < 

5. Inverting with trapdoor, for every n G N any pair {i,t) in the range of /(I”) 
such that i G In, and every x G A, Pr[F~^{t, fi{x)) = x] > 1 — 2“". 

That is, given a permutation along with its trapdoor, F~^ is used to find 
the pre-image of any element in its domain. 



3.5 Enhanced Collection of Trapdoor Permutations 

The implementation of OT presented by [7], is based on the existence of enhanced 
collection of trapdoor permutations. The enhancement refers to the hard-to- 
invert condition; i.e., it is hard to find the pre-image of a random element without 
knowing the permutation trapdoor. The enhanced condition requires that the 
hardness still hold even when the adversary receives, as an additional input, the 
random coins used to sample the element. (For more details see [12]). 

It is presently unknown whether or not the existence of a TDP implies the 
existence of an enhanced TDP. 



3.6 Collection of Dense Trapdoor Permutations (Dense-TDP) 

A collection of dense trapdoor permutations (dense-TDP) is a TDP with one ad- 
ditional requirement. Whereas in an arbitrary TDP, the permutations may have 
arbitrary domains, here we require that these domains be polynomial fractions 
of the set of all strings of a particular length. Formally, let be the domain 
of the permutation named a, then the additional requirement is: There exists a 
positive polynomial g such that for all n G N and all a € In, D^ Q {0,1}” and 
\Dct\ > • We define the density parameter of the collection, p, as A 

An alternative definition might allow Da to be a subset of (0, 1}^^"^, for some 
fixed positive polynomial k (rather than a subset of (0, 1}”). It is easy to see, 
however, that the two definitions are equivalent. 
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4 Using Dense-TDP 



q(n) 



1 - 



p(nr 



q(n) 



to Construct 

-WOT 



(where p is the density parameter of the collection and q is any positive polyno- 
mial) 

In this section we implement a very weak form of (ei, C 2 , £ 3 ) — W^OT, as all 
three parameters are not negligible. Notice that while the second parameter is 
fixed (equals 1 — ) and might be rather big, the first and third parameters 

can be as small as we like (as long as they are polynomial fractions) . This freedom 
in choosing the first and third parameters, is used by the next section in order 
to construct a stronger protocol. 



4.1 Preliminaries 

Let (I,D,F) be a dense-TDP with density parameter p. For simplicity’s sake, 
we assume that the collection’s algorithms are deterministic and errorless, i.e., 
always return the right answers. Note that in the definition of dense-TDP, the 
algorithms are probabilistic and might return wrong answers with negligible 
probability. Extending the following implementation to the general case, how- 
ever, is rather straightforward. (For details see [13]). 

We would like to evaluate F{a,-) and F~^{a,-) on any element in {0,1}” 
(and not only on elements in D^)- The problem is that nothing is guaranteed 
about the computation of F{a,x) and F’“^(o;,a;) when x is not in D^. We can 
assume, however, that this computation halts in polynomial time and returns 
some value in {0,1}”. Therefore we extend the notations fa{x) and fa^{x) to 
denote, for all x G {0, 1}”, the value of F{a,x) and F~^{a,x) respectively. 



4.2 The Protocol’s Outline 

This protocol is an extension of the EGL protocol (described in Subsection 2.1). 
The first part of the protocol (Steps 1-3) is similar to the first part (Steps 1-2) 
of the EGL protocol. In this part, the receiver selects ri_j and s uniformly 
in {0, 1}”. Note that either ri_i or s might not be in Da- This fact reduces 
the protocol’s quality and hence, we are not constructing (in this step) an OT. 
There is a non-negligible probability, however, that both elements are in Da, 
and therefore the protocol can guarantee some weaker requirements. 

The middle part of the protocol (Steps 4-5) is where the new key idea lies. 
The sender helps the receiver to decide whether or not rq and ri (that the 
receiver has chosen in the first part of the protocol) “look” as though they 
have been chosen from the same distribution. In addition, the sender helps the 
receiver to decide whether or not s is the pre-image (with respect to fa) of Vi. 
The above help is given to the receiver without leaking “too much” information 
about the value of ai-i. This help is needed, as there is no efficient way to decide 
whether or not a given element is in Da- If the receiver concludes that rq and 
Ti “look” as though they have been chosen from different distributions, or that 
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s is not the pre-image of r*, then it restarts the protocol. Hence, the protocol 
might iterate through its first two parts (Steps 1-5) for quite a while, before it 
finally reaches its last part (Steps 6-8). It is guaranteed, however, that with very 
high probability, the protocol halts after a polynomial number of iterations. 
The last part of our protocol is similar to the last part (Steps 3-4) of the EGL 
protocol. The receiver uses the information it received from the sender to 
calculate Ui. Note that when s is in (which happens with probability at least 
p), the receiver receives the right value of at. 

4.3 The Protocol 

The protocol uses a collection of pairwise independent hash functions de- 
noted Hn, where the hash function domain is {0, 1}" and their range is 

|l,2, . . . , I Recall that the protocol’s inputs are: the sender’s secrets, 
(To and (Ti, and the receiver’s index, i. 

1. The sender uniformly selects a permutation and its trapdoor, a and t, by 
letting (a,t) ^ .f(l"), and uniformly selects a hash function h G Hn. 

The sender sends (h,a) to the receiver. 

2. The receiver selects s,ri and as follows: 

— s is chosen uniformly in {0, 1}” and is set to /q(s). 

— ri_j is chosen uniformly in {0, 1}". 

The idea is that when s is in Da, the receiver knows the value of /„ ^(r^) 
(i.e., s), and when ri_i is in Da, it does not know the value of /“^(ri_j). 
Moreover, when both s and are in Da, they have the same distribution 
(as /q, is a permutation on Da) and thus, knowing them gives no knowledge 
about i. Note that, if ri_i or s are not in Da, then the protocol is not guar- 
anteed to work correctly, but with sufficiently high probability, the protocol 
detects such a situation by itself (Steps 4-5). 

3. The receiver sends (rp, ri) to the sender in random order, i.e., the 
receiver selects k uniformly in {0, 1}, sets wq to and wi to ri_fe, and 
sends {wo,wi) to the sender. 

By sending rg and ri in random order, the receiver hides the identity of i. 
The random order is needed, since rg and ri might have completely different 
distributions and thus, sending them in a fixed order might leak information 
about i. This random ordering step was not taken in the EGL protocol, 
as in the EGL protocol both rg and ri were guaranteed to have the same 
distribution (recall that they were uniformly chosen in Da). In the current 
protocol, however, it is not always the case. The reason is that in order to 
choose Ti we evaluate fa(s), even though s is not guaranteed to be in Da. 
Hence, we can assure nothing about r^ distribution. For example, it might 
be that for all x not in Da, fa{x) equals 0”. 

® That is, for any n, for any x,y £ {0,1}" and for any a, (3 G |l,2, ... , } 

Prh€RH„ [{h{x) = a)A {h{y) = /?)] = • 
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4. For both j = 0, 1, the sender checks whether /a(/a is equal to wj. 

If the answer is positive it sets Vj to h{f~^{wj)), otherwise it aborts the 
current iteration (i.e., the protocol is restarted). 

The sender sends (vo,vi) to the receiver. 

5. The receiver aborts the current iteration, if is not equal to h(s). 

Motivating comment for Steps 4 and 5: The goal of the last two steps is to 
ensure, with sufficiently high probability, that the following two requirements 
hold. The first requirement is that s is the pre-image of and the second 
requirement is that and ri_i “look” as though they have been chosen from 
the same distribution. The crucial observation is that when both and 
happen to be in (which happens with probability at least ^^^^ 2 )? then 
the above two requirements are guaranteed to hold and the current iteration 
is not aborted. On the other hand, when one of the above two requirements 
does not hold, then the current iteration is aborted with probability at least 
1 — (When s is not the pre-image of then the receiver detects it 
in Step 5 with probability 1 — and when s is the pre-image of and 
the current iteration is not aborted, then both and are uniformly 
distributed in the set = {x G {0, 1}” |/a(a, = 2 ;}). 

We note that even though some information about the pre-image of ri_i (i.e., 
is delivered to the receiver, this information is given in a small 
amount and thus does not enable the receiver to compute the pre-image 
of ri_i by itself. 

6. The receiver sends k to the sender. 

That is, the receiver tells the sender which of the values, wq and wi, 
is ro and which is ri. The point is that when we reach this step, tq and 
ri have, with substantial probability, the same distribution. Hence, only a 
small amount of information about i might leak to the sender. 

7. For both j = 0, 1, the sender uniformly chooses yj G {0, 1}” and sets cj to 

where b{x,y) =<x,y> mod 2 (i.e., the inner product 
of X and y modulus 2). 

The sender sends (cq, Ci, yoi ?/i) to the receiver. 

Note that in this protocol, the sender XORs ctq and cti with the hardcore 
bits of (ro,r/o) and (ri,yi). The latter hardcore bits are with respect to a 
specific hardcore predicate (i.e., b) of the trapdoor permutation ga, defined 
as ga{x,y) (fa{x),y). Recall that in the EGL protocol, the sender XORs 
CTo and (Ti with the hardcore bits of rg and ri, with respect to any given 
hardcore predicate of fa. The reason for this modification is that in our 
proof of security, we rely on the structure of the above specific hardcore 
predicate. 

8. The receiver locally outputs b{s,yi) © c^. 

Note that when is equal to s, the receiver outputs In addition, 

when ri_i is in Da, no knowledge about cri_i leaks to the receiver. 



Analysis Sketch. In this section we sketch the correctness proof of the above 
protocol. (A detailed proof can be found at [13]). 
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We first mention that the protocol is a polynomial one. The reason is that 
by the density property of the collection, the protocol halts, with very high 
probability, after iterations. Thus, without loss of generality, we can assume 
that the protocol always halts after iterations and is therefore polynomial. 

We say that the protocol had a good-ending, if in its last iteration s was 
equal to the pre-image of (with respect to /„). It is not hard to see that the 
probability for a good-ending of the protocol, is at least 1 — The proof of the 
protocol’s first and third properties (i.e.. Correctness and Receiver’s privacy), 
is a direct implication of the above result. 

The proof of the protocol’s second property (Sender’s privacy), is proved by 
contradiction. We assume that the second property does not hold, and construct 
a polynomial time algorithm that, with non-negligible success, inverts the col- 
lection of dense trapdoor permutations. The proof has two major steps. First 
we construct a polynomial time algorithm, B, that predicts b{f~^{x),y) with 
non-negligible advantage. (Recall that b{z, w) is the inner product of z and w 
mod 2, and it is a hardcore predicate of the trapdoor permutation g^, defined 
as ga{ZjW) '= (fa{z),w)). In the second step, we construct a polynomial time 
algorithm that computes /jf^(a;), by embedding B in the reduction given by [9] 
in proving hard-core predicate for any one-way function. 

5 Amplifying (-^, 1 - -^) - WOT to OT 

(where p is the density parameter of the collection and we have the freedom to 
choose q as any positive polynomial) 

In this section we sketch how to amplify a general 1 — 

to OT, where t is any positive polynomial (not necessarily p(^^y ) and we have 
the freedom to choose q as any positive polynomial. A detailed construction can 
be found at [13]. 

The amplification is done in three independent steps. Each step amplifies 
some weak form of OT into a stronger form. In Subsection 5.4 we show how to 
combine these steps to create the desired amplification. 



5.1 Using 1 - nty -WOT to Construct 

(where q' and t are any positive polynomials) 

In this step, we show how to reduce (the potentially big) second parameter of 

( ng'(n)tO) ’ ^ ’ nq' {n)t{n ) )~^ into a negligible function. In the protocol, 

the sender splits its original pair of secrets into many pairs of secrets, by splitting 
each of the original secrets into many secrets using a secret sharing scheme. 
Then, the sender transfers the z’th secret of each new pair to the receiver 

using 1 " tk)' nq' (u)t(u) ) OT . The point is that in order to know 
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the value of aj, one should know the j’th secret of each of the new pairs. Thus the 
amount of knowledge the receiver gains about cri_j in the following protocol 
is negligible. 

The Protocol. Recall that the protocol’s inputs are: the sender’s secrets, ctq 
and (Ti, and the receiver’s index, i. 

1. For both j = 0, 1, the sender sets the following values: 

— ujj^i, ■ . . „((„)_! are uniformly chosen at {0, 1}. 

- is set to © dj. 

2. For all 1 < fc < nt{n), the sender transfers to the receiver, using 

i^nq' (n)t(n) ^ t{n)^ nq'(n)t(n)^ kFOT. 

3. The receiver locally outputs Wi,fe. 

Analysis Sketch. By invoking Yao’s XOR lemma, we show that the amount 
of knowledge the receiver gains about ai-i through this protocol is negligible 
and hence, the Sender’s privacy is guaranteed. Proving the other properties 
(Correctness and Receiver’s privacy) is rather straightforward. The Correctness 
property is proved by analyzing the probability that all the invocations of the 
subprotocol are successful (in a sense that the receiver always computes the 
right value of and the proof of the Receiver’s privacy property is proved 
by a simple information theoretic argument. 

5.2 Using - WOT to construct 

(neg{n),neg{n), -WOT 

(where q” is any positive polynomial) 

In this step, we show how to reduce the first parameter into a negligible 
function. In the protocol the sender repeatedly transfers di to the receiver, 
using ^ nq"(n) ’ ^sg(^) i nq"(n ) ) ~ W OT . The receiver determines the correct 
value using majority rule. The point is to decrease the probability that the 
receiver wrongly determines 



The Protocol 
1. The sender 



transfers <t, 



times to the 



receiver. 



using 



nq" (n) ’ 






nq" (n) 



-WOT. 



2. The receiver decides the value of di by majority rule. 



Analysis Sketch. The proof of the Correctness property is immediate by Cher- 
noff bound. The Sender’s privacy property is proved by hybrid argument and 
finally the proof of the Receiver’s privacy property is proved by a simple infor- 
mation theoretic argument. 
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5.3 Using (neg(n),neg(n), ^) — WOT to construct 
{neg{n), neg{n), neg{n)) — WOT 

In this final step, we reduced the third parameter into a negligible function. The 
implementation of this step follows the construction presented by Crepeau and 
Kilian [3]. 



5.4 Putting It All Together 

Given a 1 ~ protocol, where t is any positive polynomial 

and we are free to choose q as we like. We start by choosing q{n) to be equal to 
3n^t(n). The second step is to use Step 5.1 to implement (^-^,neg{n), ^)—WOT. 
In the third step we use Step 5.2 to implement (neg{n),neg{n), ^) — WOT. In 
the last step we use Step 5.3 to implement the desired {neg{n),neg{n),neg{n))— 
WOT. 

Recall that by the definition of (ei, £ 2 , es)— kbOT, {neg{n),neg{n),neg{n)) — 
WOT is, in a sense, even a stronger protocol then OT. Since in OT all the require- 
ments are computational knowledge ones and in {neg{n),neg{n),neg{n))—WOT 
the Receiver’s privacy property is negligible by information-theoretic means 



6 Further Issues 

A natural question to ask is whether a similar result be obtained even if the 
permutation requirement is somewhat relaxed. For example can we construct 
an OT based on dense collection of injective one-way functions? The answer 
is positive when we consider length-preserving functions. Moreover, exactly the 
same construction as used in this text can be used. If the functions are not 
length-preserving, then the size of the function range must be dense both in 2” 
and in 2’” (assuming that the function input is n bit long and the output is m 
bit long), and, again, exactly the same construction as used in this text can be 
used. 

Another natural question to ask is whether an OT can be constructed using 
“standard” TDP, without any additional requirements? The answer seems to 
be negative, as it was proved by [8] that OT cannot be Black-Box reduced to 
collection of injective one-way functions and it seems likely, though not proven 
yet, that this result can be extended to TDP. 



Acknowledgements. I would like to thank my MSc advisor, Oded Goldreich, 
who introduced me to this subject, and guided me through the writing of this 
paper. 

® Note that this strengthening also happened in the EGL protocol. 
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Abstract. A new technique for proving the adaptive indistinguishabil- 
ity of two systems, each composed of some component systems, is pre- 
sented, using only the fact that corresponding component systems are 
non- adaptively indistinguishable. The main tool is the definition of a 
special monotone condition for a random system F, relative to another 
random system G, whose probability of occurring for a given distin- 
guisher D is closely related to the distinguishing advantage e of D for 
F and G, namely it is lower and upper bounded by e and e(l -|- In i), 
respectively. 

A concrete instantiation of this result shows that the cascade of two ran- 
dom permutations (with the second one inverted) is indistinguishable 
from a uniform random permutation by adaptive distinguishers which 
may query the system from both sides, assuming the components’ secu- 
rity only against non-adaptive one-sided distinguishers. 

As applications we provide some results in various fields as almost fc-wise 
independent probability spaces, decorrelation theory and computational 
indistinguishability (i.e., pseudo-randomness). 



1 Introduction 

1.1 Random Systems and the Distinguishing Problem 

The statistical distance <5 of two random variables A and B has a natural in- 
terpretation: The success probability of an optimal distinguisher in telling apart 
the two random variables A and i?is(l-|-i5)/2. 

It is much more intricate to deal with the indistinguishability of random 
systems"^ which take inputs Ai,A 2 ,... and generate, for each new input Aj, 
an output Yi which depends probabilistically on the inputs and outputs seen 
so far. As always, we consider a distinguisher D which may interactively query 
a random system and, after some number k of queries, outputs a decision bit. 
For two random systems F and G and a distinguisher D one considers the two 
random experiments where D queries F and where D queries G, respectively, 

^ The term “random” is used here in the same sense as it is used in the term “random 
variable” . It does not imply some kind of uniformity. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 410-427, 2004. 
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for some A: > 1 queries. The advantage of D in distinguishing F and G is defined 
as difference of the probabilities of D outputting 1, in both random experiments. 

Usually one is interested in the indistinguishability of a random system from 
some perfect random system with respect to any distinguisher from some general 
class of distinguishers (e.g. the class of all adaptive or the class of all non-adaptive 
distinguishers) . In this work we will consider the problem of whether one can 
compose two or more random systems to obtain a new system whose security is 
superior to the security of any of its components. This is best illustrated by an 
example. 



1.2 Composition of Random Systems: An Example 

Let E (and likewise F) be a random permutation^ where the advantage of any 
non-adaptive distinguisher^ for E and a uniform random permutation (URP) P 
is at most Sk (where k is the number of queries). We can build a new random 
permutation E o F by using E and F in a cascade (see Figure 1). Intuitively, 
this construction should be even “closer” to P than E or F individually. Indeed, 
Vaudenay [7] proved that the non-adaptive indistinguishability of E o F is 2e“l, 
i.e., the distinguishing advantages are multiplied. The same statement holds if 
we replace (both occurrences) of non-adaptive with adaptive in the above [8] . 

If E and F are secure against non-adaptive distinguishers, can we say some- 
thing about the adaptive security of E o F? The intuition here is that adaptivity 
cannot help too much as the output of E in the cascade is obscured by F and 
the input to F is randomized by the leading E. This intuition is indeed correct. 
We will prove that if the non-adaptive security of E and F is Sk, then Eo F has 
adaptive security 2£fc(l -|- In ^). A lower bound of f2{ek) for this advantage can 
easily be shown, in contrast to the above stated 0{e\) when only non-adaptive 
security is required. This leaves us (as an open problem) a gap on the order of 
In — between the upper and lower bound. 



1.3 From Indistinguishability to Monotone Conditions and Back 

The framework of [3] is based on the concept of monotone conditions defined for 
a random system. Intuitively, after each query to the system, such a condition 
can either be satisfied or can fail to be satisfied. Monotonicity means that once 
the condition has failed, it is never satisfied in the future. For example, such a 
condition could be that at a certain point internally in the system, for example at 
the input to a component, no collision has occurred. This no-collision condition 
is obviously monotone. 

^ By a random permutation (over some set A) we mean a system which was chosen 
according to some distribution from all possible permutations over this set. If this 
distribution is uniform this system is called a uniform random permutation (URP). 
® A non-adaptive distinguisher must choose the queries without seeing the outputs of 
the invoked system. 
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Consider two random systems F and G with compatible input and output 
alphabets. In this paper we will consider a monotone condition A for F, denoted 
F-^, such that for any fixed input-output behaviour, the probability that F shows 
this behaviour and the condition occurs is upper bounded by the probability that 
G shows this behaviour. This will be denoted as F-^ ^ G. Lemma 6 shows that 
if F-^ ^ G, then for any distinguisher, its advantage in distinguishing F from G 
is upper bounded by the probability that it can make the condition A fail in F. 

One can intuitively think of such a monotone condition as a lamp placed 
on the system which goes on as soon as the condition fails. More radically, one 
could think of failure of the condition as a trigger for the system to explode. If 
the failure of a condition in a system F is interpreted as such a visible effect, 
then distinguishing F from another system G (without such a trigger) is trivial, 
provided the trigger event occurs, i.e., the condition fails. 

In very many indistinguishability proofs in the literature, such monotone 
conditions lie at the core of the argument, although this is sometimes obscured 
in complicated arguments. In [3] it is shown how complex systems with several 
internal subsystems, each with a monotone condition, can be analysed. However, 
if one only knows that the two systems are e-indistinguishahle from a URF, 
without knowing a corresponding condition, then the technique of [3] fails. A 
main goal of this paper is therefore to define a special monotone condition A 
(called the maximum condition) for a random system F, relative to a system 
G, such that F-^ ^ G and such that its probability p of not occurring (for any 
distinguisher D) is closely related to the distinguishing advantage e: of F and 
G (for D). More precisely, we provide two lemmas (Lemma 6 mentioned before 
and Lemma 9) which show that e < p < e(l -I- In j). This allows to prove the 
indistinguishability of two systems consisting of subsystems, knowing only that 
the subsystems are indistinguishable from a certain ideal system, but using the 
powerful framework based on monotone conditions. 

Continuing the example of Section 1.2, let us discuss intuitively how this 
maximum condition allows to upper bound the adaptive security of E o F 
assuming that the non-adaptive security of E (and likewise of F) is at least 7^ 
(the k refers to the number of queries the distinguisher is allowed to make). 
Let A be the maximum condition for E relative to a URP P, and let B be the 
maximum condition for F relative to P. One can show (using Lemma 6) that 
£fc < cxk, where ak is an upper bound on the maximal success probability of 
any adaptive distinguisher in making either A or B fail when querying E-^ o F®. 
Then using E-^ ^ P and F® ^ P one can show that this probability is at most 
the success probability of any adaptive distinguisher in making A fail in E-^ o P 
plus the probability of making B fail in P o F®. But in E-^ o P (and likewise in 
P o F®) adaptive strategies cannot be better than non-adaptive ones in making 
A fail as the output of E-^ o P is completely independent of the output of the 
internal system E on which A is defined. So < 2j3k where fdk is an upper 
bound on the probability of any non-adaptive distinguisher in making A fail in 
E (and likewise yB in F). As M and B are maximum conditions we now obtain 
(from Lemma 9) (ik < 7fc(l + In and thus Sk < 27^(1 -|- In ^). 
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1.4 Outline of the Paper 

In Section 2 the definitions of random systems, monotone conditions, the ^ 
relation and of distinguishers are given. In Section 3 first the maximum condition 
for two random systems is defined. Then we lower and upper bound (Lemmas 
6 and 9) the success probability of a distinguisher in making the maximum 
condition fail (as described in Section 1.3). 

As an application of our framework, in Section 4 we provide two theorems 
bounding the adaptive security of two systems (parallel execution and XOR of 
random functions and cascades of permutations) in terms of the non-adaptive 
security of the component systems. We also give an application for each of the 
theorems, the first is about k-wise independent sample spaces, the second about 
the cascade of random involutions. Section 5 discusses some more implications 
of the results. Section 6 states some open problems. 

1.5 Notation 

We denote sets by capital calligraphic letters (e.g. X) and the corresponding cap- 
ital letter X denotes a random variable taking values in X. Concrete values for 
X are usually denoted by the corresponding small letter x. For a set X we denote 
by the set of ordered k-tuples of elements from X. X^ = {Xi,X 2 , ■ ■ ■ ,Xk) 
denotes a random variable taking values in and a concrete value is usually 
denoted by = {xi,X 2 , • ■ • , Xk)- 

Because we will consider different random experiments where the same ran- 
dom variables appear, we extend the standard notation for probabilities and 
expectations (e.g. Py(u), 9v\w{v,w), E[A]) by explicitly writing the consid- 
ered random experiment £ as a superscript, e.g. Py{v), Py|^ {v,w) and E^[A]. 
Equality of distributions means equality for all arguments, e.g. 

P^^ =Pp ^ Vv€V: P^yHv) = Pp{v). 

We sometimes use the notation P| instead of P^(^) to denote the probability of 
the event 

2 Random Systems, Conditions, and Distingnishers 

2.1 Random Systems 

Many cryptographic systems correspond to a probabilistic, possibly stateful (but 
often stateless) system which takes inputs Xi , X 2 , ■ ■ ■ and generates, for each new 
input Xi, an output Yi which depends probabilistically on Xi and the internal 
state. 

In communication theory, a memoryless (i.e., stateless) communication chan- 
nel with input X and output Y is modelled by a conditional probability distribu- 
tion Py\x- In other words, Py\x precisely captures the input-output behaviour 
of the channel, and it is unnecessary to consider the internals of the channel. In 
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the same spirit, a possibly stateful and probabilistic system F that takes inputs 
Xi,X 2 ,... and generates an output Yi for each new input Xi is modelled as 
a so-called random system [3], defined as a sequence of conditional probability 
distributions PYi\Xi---Xi,Yi---yi~i ■ 

Definition 1 An {X ,y) -random system F is a (generally infinite) sequence of 
conditional probability distributions Py.|x*y‘-i , for i > 1. Two systems F and G 
are equivalent, denoted F = G, if they correspond to the same random system, 
i.e., if P X 1 ^ y- \x^y^~^ ^ 1. 

The sequence Py-lx^Y'-^ for z > 1 also defines the sequence Pyi\x* 



P 



F 

yqx* 



i 



and vice versa by 

pF 

dF _ '^Yi\Xi 

f^y,|x*y*-i - pF 

rYi-i\xi-i 

As special classes of random systems we will consider random functions and 
random permutations, which are stateless random systems. 



Definition 2 A random function X ^ y {random permutation on A) is a ran- 
dom variable which takes as values functions X y (permutations on X). 
Throughout the paper the symbols 7Z and V are used for the set of all random 
functions and the set of all random permutations respectively. 

A uniform random function (URF) R : A — >■ 3^ (A uniform random permu- 
tation (URP) P on A) is a random function with uniform distribution over all 
functions from A to 3^ (permutations on A). Throughout the paper, the symbols 
R and P are used exclusively for the systems defined above. 



2.2 Monotone Gonditions 

The concept of monotone conditions for random systems was introduced in [3]. 
A monotone condition A for a random-system F is a sequence 00 , 01 , 02 , .. . of 
events, where oq is the certain event and where o^ (di) denotes the event that 
the condition is satisfied (failed) after the z’th query to F has been processed. 
As described above, monotone means that once the condition has failed, it can 
never hold again (i.e., oi Oi_i). A natural example of a monotone condition is 
a no-collision condition. As we are not interested in the behaviour of a random 
system after the condition has failed, and in fact this behaviour need in general 
not be defined, the definition below specifies the probability distribution of Yi, 
given X* and only together with the event Ui, and conditioned on Oi_i. 

More formally, a random system with a monotone condition is defined like a 
random system, but the (conditional) probability distributions generally do not 
sum to 1. We use the term “partial” to denote such distributions which are not 
actually probability distributions. 
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Definition 3 An {X ^y) -random system F with a monotone condition A, de- 
noted F-^, is an infinite sequence of partial conditional probability distributions 

For any a;* and we have 

vi&y 

The sequence Pa^tlx^Y'-^at ^ for f > 1 also defines the sequence by 



pF-^ _ TT pF-4 

^aiYi\X* - 11 

i=i 



and vice versa. 



Definition 4 We introduce a partial order ^ on input-output compatible ran- 
dom systems with monotone conditions, as follows: 



F-^ ^ G® 



Vf > 1 : 



pF-^ 

FaiVqX* 



< p 



cje 

biY'\X*- 



In other words, F-^ ^ G® if for all f > 1 and all x* G A*, y* G 3^*, the 
probability that F-^ outputs y* on input x* and the condition A holds is at most 
the probability that G® will output y* on input x* and the condition B holds. 
We also define F-^ ^ G (here one may think of G having a condition which 
never fails): 



F^ ^ G 



Vi > 1 : 



< P 



G 

yi|X>- 



2.3 Distinguishers and Their Advantage 

Definition 5 A distinguisher for an (A, 3^)-random systems is a (3^, A)-random 
system D which can interactively query (A, 3^)-random systems and finally out- 
puts a bit.^ For an (A, 3^)-random system F we denote by DOF the random 
experiment where D interactively queries F. 

This definition refers to adaptive distinguishers. A non-adaptive distinguisher 
must fix all inputs Ai , . . . , Xk before seeing the outputs Fi , . . . , . 

For the case of random permutations, we will consider mono-directional and 
bidirectional distinguishers (the latter only in the adaptive version). A bidirec- 
tional distinguisher can query the system from both sides. 

Definition 6 The advantage of D in distinguishing F from G, after k queries, 
denoted Z\°(F,G), is the absolute value of the difference of the probability of 
D outputting 1 in the two random experiments DOF and DOG. 

^ An initial random variable Ai G A must also be defined. 
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Assuming without loss of generality that, after the query phase, D makes 
the optimal decision based on and Y^, we have® 

/.D/p r''. _ 1 IpDOF pDOG I 

. '^1 — 2 V X*‘Y<^ ~ ^ ■ 

We denote the advantages of the best adaptive and the best non-adaptive dis- 
tinguisher as follows: 

Afc(F,G) =VaxA°(F,G) 

and 

4(F,G)= max A°(F,G) 

non— adaptive D 

yk^yk 

Definition 7 For a random system F-^ with a monotone condition, we let 

be the probability that D makes the condition fail with at most k queries. 
Furthermore, let 

i^k{F,ak)= max v^{F,ak) 

be the maximal probability in provoking dfe using any adaptive D, and analo- 
gously for non-adaptive D: 

/ife(F,afe)= max F°(F,afc). 

non— adaptive D 

2.4 Random Systems as Components in Random Experiments 

In this section we propose two lemmas which we will need several times in the 
sequel. Consider the random experiment f (F) where a random system F, defined 
by a sequence of distributions Py. interacting with an environment 

£{■), given by a sequence of distributions .® Here £{■) sends a query 

Xi to F which answers with Yi, then £{■) sends a query X 2 and so on. So after 
k queries this random experiment defines a random variable X^Y^ . 

® This definition has a natural interpretation in the random experiment where we 
first toss a uniform random coin C G {0, 1}. Then we let D (which has no a priori 
information on C) make k queries to a system H where H = F if C = 0 and H = G 
if C = 1. Here the expected probability that an optimal guess on C based on the k 
inputs and outputs of H will be correct is 1/2-1- (F, G)/2. 

® This definition of environment £(■) is exactly the definition of an adaptive distin- 
guisher. We will consider environments where a distinguisher is part of the environ- 
ment, so as to avoid ambiguities we introduce the term environment here. 
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Lemma 1 For £^(.) as just defined 



pf:(F) 

X’‘Y'‘ 



p^(') 

r xk\Y*‘- 



iP 



F 

Y*‘\x>‘- 



Proof: This follows directly from the definition of this random experiment: 



pf^(F) 



n 

j=i 



p^^(') 



pF 



p^^(') 

r xk\Y>=- 



iP 



F 

Yk\x>‘- 



For example for the random experiment DOF (see Definition 5) we have 



□ 



pDOF pD pF 

For £(■) as just defined we can also consider the random experiment £1(F 
It is straight-forward to prove the following lemma. 



( 1 ) 



Lemma 2 For £{■) as above let r be any event defined on £{■). Let Gt be the 
event that the condition A holds at the timepoint where r occurs. If F-^ ^ G 
then 

p£(F-^) ^ p£(G) 



3 The Maximum Condition 



Definition 8 For two (T, J^)-random systems F and G, F with 
condition (relative to G) is the random system with monotone 
defined by 



P 



p.4 

ai|X»y* 



min* 

l<3<i 



pCJ 

^Yi\Xi 

pF 

'^Yi\Xi 



the maximum 
condition F-^ 



and 



P 



aiY^X^ 



= p 



F 

Y'\X 



iP 



■pA 

ai\X^Y^ 



for i > 1, where min* means that the constant 1 is included among the terms 
to be minimised over, i.e., a min* expression is always upper bounded by 1. We 
denote the maximum condition for F and G by F j, G and often give it a short 
name (e.g. A := F|G). 



The term “maximum condition” is motivated by the following lemma. 



Lemma 3 For A := Fj,G, 



F^ ^ G. 



Moreover, for all F®, 

F® ^ G =k F® ^ F-^. 

^ Note that formally, this is not a random experiment since it is only partially defined, 
but the notion of a probability of an event in this random experiment is naturally 
defined, provided the condition that A holds at the timepoint when the event occurs 
is taken as part of the event. 




418 



U. Maurer and K. Pietrzak 



Proof: We first observe that the condition is monotone, because of the min- 
imisation which implies prove F-^ ^ G, observe 



that — ^Y^x'/^^^x' ™plies ^ZiY^x 

To see that F® ^ G implies F® ^ F-^, note that for the maximum condition 
A the distribution PZi\Y'X-^ everywhere the largest possible value still satis- 
fying both requirements. So for any F® ^ G we have PZ,^\Y‘X* — 
thus F® ^ F-^. □ 

For the remainder of this section, let F and G be any (A, 3^)-random systems. 
For each t > 0 we define the function Af : fb* x 3^® — >■ [0, 1] as 



_ pF pF^ / pG 



\ F.G / i i\ 

A - ’ [X ,y ) = max « 






In a random experiment where the random variables X* and F* are defined we 
can consider the random variables Zi and Zi defined as 



Zi = Af’®(X*,W) 



and 



Zi = max; Zj. 

0<j<i 



(2) 



The next two lemmas state that the expectation of these random variables in 
the random experiment DOF are the distinguishing advantage of D for F and 
G and the probability that D provokes the maximum condition for F (relative 
to G) to fail, respectively. 



Lemma 4 



Proof: 



Z\°(F,G)-E^^P[Zfe]. 



Z\°(F,G) = 



- E 
E 

x^xy^ 



IpDOF _ pDOG I 

|rj^fcyfc r^feyfel 



max 



r pDOF pDOG 



= E 



P xk^yk—k niax *1^ P 



F 

y'^ix' 



Pyfe|Xfc) 0 | 



= E 

Xkxyk 

_ ^DOF 



dDOF ) ^F'=|x 

Pxkyk max < - 



iZk]. 



- P*^ 

Vyfc|x* 



pF 

Fyfc|xfe 



,0 



□ 



Lemma 5 For A := F4.G, 
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Proof: 






x>‘xy>‘ 



E pDOF 

r^kyh 

X>‘xy'^ 



1 — min * 

l<j<k 



pG 

YJ|X3 

Y 3 \X 3 



= 

^ ^ ^ Kj<k 

Xkxyk 



pF _ pG 

'^Y3\X3 ’^Y3jX3 

pF 

r V3IX3 



zDOF 



[Zk]. 



Here max* means that the constant 0 is included among the terms to be min- 
imised over, i.e., a max* expression is always non-negative. □ 

Lemma 6 If F-^ ^ G, then 



Proof: Let B := F4,G. Using the Lemmas 4 and 5 we get 

Z\°(F,G)-E°^^[Zfc] 

= i^F{F2h) 

< v^{F-^,ak). 

The last step is easily verified using F-^ ^ F®, which follows from Lemma 3. □ 



Definition 9 A sequence of random variables Vq, Vi, . . is a suh-martingale if 
for alH > 0 

E[U+i|Uo,...,U] >U. 

The proofs of the Lemmas 7 and 8 below can be found in Appendix A. 

Lemma 7 Let Vb, Ui, . . . be a sub-martingale where 0 < U < 1 for all i, and let 
V„ = maxo<j<„ Vj. Then 

E[U„] < E[U„]-(l-ln(E[U„])). 



Lemma 8 The sequence Zq,Zi,... as defined in (2) is a sub-martingale se- 
quence in the random experiment DOF, i.e., 

Vz>0: E°^^[Z,+i|Zo,...,Z,] > Z,. 
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Yi 




Fig. 1. The random systems E ★ F (left) and E o F (right). 



Lemma 9 For ^ := F),G, 

Proof: Using Lemmas 8 and 7 we get 

. (1 - In (E°^^[Z,])) . 

Now one can apply the Lemmas 4 and 5. □ 

4 Stronger Security by Composition 

Definition 10 A composition operator M for a class of random systems Q is 
a binary operator Q x Q — >■ Q which, given two random systems E,F G Q, 
defines how to combine E and F into a random system E XI F G Q where, on 
any invocation of EXF, the internal random systems E and F are invoked once. 
In this paper we will consider the two composition operators * and o described 
below. 

— Let E, F G 77. be random functions X ^ y (see Definition 2) and let * denote 
some group operation on y. We denote by E ★ F G 77 the random function 
defined by applying the input to E and F and then applying * to the outputs 
(see Figure 1, left). 

— Let E, F G 7^ be random permutations over X (see Definition 2). We denote 
by E o F G 7^ the random permutation defined by applying the input to E 
and F to the output of E (see Figure 1, right). 



Lemma 10 Consider a class Q of random systems and a composition operator X 
on Q. If there is a random system I G Q such that for all F G Q the following 
two conditions are satisfied 

1. IX 1 = 1. 

2. i^fc(E-^ X I,afc) = ^fc(E-^ X I,afc) and j/fc(I X F®, 6^) = ^^(I X F®, 6^).® 

® This means that whenever one of the two system X takes as input is the “perfect” 
system I, then the best adaptive distinguisher has no advantage over the best non- 
adaptive distinguisher in provoking some event defined on the other system. 
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Then for any E, F G Q and any A: > 1 we have 

4(E,I)<£ a 4(F,I)<£ ^ Z\fe(EMF,I) <2£(l + lni). 

Proof: Let A (B) be the maximum condition for E (F), relative to I, i.e., 
^:=E;I and S := F;I. 

Now we have (here ba, and likewise aj;, denote the event that at any timepoint 
where the condition B holds, also the condition A holds) 

Z\fc(E N F,I) = Z\fe(E M F,I XI I) 

< XI F®,afc V bk) 

< VkCE-^ X F®,afc Aba) + XI F®,6fc A Oj) 

< i^fe(E-^ X I,dfc) + X F®,6fc) 

= ^fc(E-^ X I,afc) + /ife(I X F®,6fc) 

< Mfc(E-^,afc) + ^fc(F®,6fc) 

< 4(E,I) (1 - ln(4(E,I))) + 4(F,I) (1 - ln(4(F,I))) 

< 2£(l + lni) . 

The first step above follows from the first condition in the statement of the 
lemma. As for the second step, let (E X F)^ be given by the partial distributions 



Vi : 



p(EMF)-^ _ pE-^MF® 



Here (E X F)^ ^ I X I (which follows from E-^ ^ I and F® ^ I) and we 
can apply Lemma 6 as (E X F)^ < ^^(E-^ X F^,frik) = *^fc(E"^ X F®,Ofc V 
bk)- The third step uses the union bound. Note that cik A ba^ is the event that 
the A-condition fails before the ,B-condition fails. The fourth step follows from 
Lemma 2. The fifth step follows by the second condition in the statement of the 
lemma. The sixth step follows as a non-adaptive distinguisher which queries E-^ 
(and likewise F®) can simply “simulate” the system E-^ X I (I X F®).® The 
seventh step follows from Lemma 9, and the final step from the assumption of 
the lemma. □ 



Theorem 1 For random functions E, F G 7?. and * as in Definition 10, 

4(E,R)<£ a 4(F,R)<£ ^ Z\fe(E*F,R) <2£(l + lni). 

Proof: The Theorem follows from Lemma 10 by setting I ^ R, Q ^ TZ and 
X-<— *. We only have to verify that the two points required by Lemma 10 are 
satisfied. As for the first point, R* R = R clearly holds. For the second point, 

® Here we need that a query to E'^ X I results in exactly one invocation of each 
subsystem. This guarantees we have no feedback which could not be simulated by a 
non-adaptive distinguisher. 
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note that the output of E-^ * R is independent of the output of the internal 
system E-^ on which our event is defined. So seeing the output cannot help in 
making the condition fail and we have * R, Ofc) = By 

symmetry, also holds. □ 

As an application for this theorem one can consider an adaptive version of 
almost fc-wise independent distributions (see [5], and [1] for simpler construc- 
tions). These are distributions over {0,1}" such that the bits at any k fixed 
positions are close (say some £ > 0 far away) to uniform. 

It is natural to consider an adaptive version of e-almost fc-wise independence 
where the positions can be chosen adaptively by a distinguisher. 

Definition 11 A distribution over (0, 1}" is adaptively e-almost fc-wise indepen- 
dent if even an adaptive distinguisher, selecting the k positions adaptively, can- 
not distinguish the k bits from uniformly random with advantage more than e. 



Corollary 1. The distribution over {0, 1}" defined by XOR-ing two e-almost 
k-wise independent distributions is adaptively 2e(l -I- In -)-almost fc-wise inde- 
pendent. 

The following theorem is inspired by Lemma 3 from [4] . We use the notation 
of [3] to denote bidirectional random permutations. If F is a random permuta- 
tion, then (F) is like F, but it can be queried from both sides. The distinguisher 
can thus also issue a direction bit, in addition to the query, to indicate from 
which side it is supposed to be applied as input. 

Theorem 2 For two random permutations E, F G P and o as in Definition 10, 

4(E,P)<e A 4(F,P)<£ ^ Afc(EoF,P) < 2e(l + lni) . 

If we take the inverse F“^ of F as the second element in the cascade, we addi- 
tionally obtain security against bidirectional distinguishers: 

4(E,P)<e A 4(F,P)<e ^ Afc((E o F"!), (P)) < 2e (l + In i) . 

Proof: The first statement of the theorem follows from Lemma 10 by setting 
Q ^ V, I ^ P and o. For the second statement we must set Q ^ V, 
1 ^ (P) and XI to be the mapping E, F — >■ (E o F~^). 

We will only prove the (slightly more involved) second statement of the the- 
orem. Note that this statement is somewhat stronger than a direct application 
of Lemma 10 would imply: the precondition is <5fc(E, P) < e A 6k{F, P) < e, and 
not Sk{{E), (P)) < £ A (5fc((F), (P)) < e as one would expect (we will come back 
to that point later). 

We must verify that the two points required by Lemma 10 are satisfied. As 
for the first point, (PoP”^) = (P) clearly holds. For the second point, note that 
in (E-^oP-i ) a query from the P ^ side results in a random value on the input 
and output of E-^. Thus a query from this side can be replaced by a random 
query from the E-^ side without changing the probability of an event defined on 
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E-^, and we have o P = i^fc(E-^ o P ^,ak). Now the output of 

E-^ o p-i is completely independent of the output of the internal system E-^. 
So adaptive strategies cannot help in provoking an event defined on E-^, i.e., 
i/fc(E-^oP“i, Ofe) = ^fe(E-^oP~i, Ofe). We have shown that r'fc((E-^oP~i),afc) = 
^fc(E-^ o P'^ofc), and by symmetry we get Vk{{^ o (F®)“i),afe) = o 

P~^,afc). This is more than what is actually required by the second condition 
of Lemma 9. An inspection of the proof of the lemma shows that with this we 
also get a stronger statement (as mentioned before). □ 

As an application of this theorem, consider the cascade of two uniform ran- 
dom involutions over X . An involution is a permutation which is its own inverse, 
and a uniform random involution (URI) on A is a permutation selected at ran- 
dom from the set of all involutions on A. A URI I is non-adaptively indistin- 
guishable from a URP P (the advantage is very small even for a large number of 
queries, actually 0 (a/|A|) queries are required to achieve a constant advantage), 
but an adaptive distinguisher can easily distinguish I from P simply by using 
any query Xi, setting X 2 := Yi, and checking whether Y 2 = Xi. For a URI, 
this condition is always satisfied, whereas for a URP, it is satisfied only with 
exponentially small probability. We get the following corollary from Theorem 2 

Corollary 1 Any adaptive bidirectional distinguisher must make in the order 
of a/|A| queries to achieve a constant distinguishing advantage for a cascade of 
two uniform random involutions over A and a uniform random permutation over 

A. 

5 Discussion 

We discuss a few implications of the results of this paper. 

5.1 Pseudorandomness 

As discussed in [3], essentially all proofs of computational indistinguishability of 
random systems consist basically of an information-theoretic indistinguishability 
proof. The results of this paper therefore have direct applications to computa- 
tional settings. For example, in order to design a bidirectionally secure pseu- 
dorandom permutation (i.e., a block cipher secure against a combined chosen- 
message and chosen-ciphertext attack) from any pseudorandom function, it suf- 
fices to design an only non-adaptively secure random permutation F from a ran- 
dom function, then to replace the random function by a pseudorandom function, 
and to apply the construction twice with one of them inverted. More generally, 
this paper allows for new constructions of quasi-random systems, as discussed 
in [3]. 

5.2 Generalizing Indistinguishability Theory 

This paper proposes two generalisations of the framework of [3] , where the follow- 
ing technique to bound the indistinguishability Z\fc(F, G) of two random systems 
F and G is used: 
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— Find conditions A and jB such that F-^ = G®, which is defined as 



F-^ = G® 



Vi > 1 : 






— Prove an upper bound on jZfc(F-^,dfc), the success probability of any distin- 
guisher in making the condition fail with k queries. Now (by Lemma 7 from 
[3]) L\fc(F, G) < iZfc(F-^,afc) and we are done. 

The first generalisation is that by Lemma 6 we may replace the requirement 
F-^ = G» with the weaker requirement F-^ ^ G and the second point still holds. 
As F-^ = G® implies F-^ ^ G but F-^ ^ G does not imply the existence of B 
such that F-^ = G®, this requirement is strictly weaker. 

The second generalisation is that, due to Lemma 9, one can go from indistin- 
guishability to monotone conditions: If Z\fc(F,G) < e, then there always exists 
a monotone condition (i.e. the maximum condition for F and G) A such that 
F-^ ^ G and iyk{F-^,ak) < £(1 + lnj). So using the above framework (with 
F-^ ^ G instead of F-^ = G® in the first step) does not inherently restrict the 
set of provable statements. 

This is in sharp contrast to the original F"^ = G® requirement, as there are, 
for any £ > 0, random systems F and G where (for some k, or rather some range 
for k) Z\fc(F, G) < £, but for any conditions A and B which satisfy F-^ = G® 
we have iZfc(F-^,dfc) > 1 — e. For such systems this framework (with the original 
F-^ = G® requirement in the first step) is not applicable. 

As an example for such systems, let the first be a source of uniform random 
bits and the second be a source where each bit is not completely uniform but 
has some small bias a. Here Afc(F, G) « '^/ka (see [6]) and i>k{F^,ak) « 1 — 
(1 — a)^/^ « afc/2. Thus choosing a small and k large enough we can achieve 
any £ > 0 as described. 



5.3 Decorrelation Theory 

Decorrelation theory was introduced by Vaudenay as a tool to prove security of 
block ciphers against d-iterated attacks, this class of attacks includes linear and 
differential cryptanalysis. Loosely speaking, in a d-iterated attack a distinguisher, 
which tries to distinguish the block cipher from a uniform random permutation, 
is limited to look at blocks of at most d queries at the same time. Decorrelation 
theory is based on different matrix norms. We refer to [7] for the definition of 
these norms and note that 

For a random permutation E over Ai let [E]‘^ denote the x Ai‘^ matrix 
where the G Ai"^ x Ai‘^ entry of [EY is 1st D be 

a distance over the matrix space . The d-wise decorrelation bias of 

the permutation E is the distance {C* denotes the distribution of the uniform 
random permutation) 



F)ecFjj{E) = D{[eY ,[C*Y)- 
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In the above definition the distance D can be replaced by a matrix norm. The 
matrix norms considered are denoted 1 1 • 1 1 oo > 1 1 • 1 1 a and 1 1 • 1 1 ^ . These norms 
have a natural interpretation as they are exactly twice the advantage of the best 
(non-adaptive, adaptive or bidirectional) distinguisher making at most d queries 
in distinguishing E from a URP, i.e. (note that here the first terms are in our 
notation) 



5d(E,P) = 


^\\[E]^-[cr\\oo = 


iDecP^(F) 


(3) 


Ad{-E,P) = 


^\\[Ef-[Cr\\a = 


^DecPf(F) 


(4) 




^\\[Ef-[C*]% = 


^DecPf(F) 


(5) 



The main theorem of [7] states that if a block cipher has small 2c?-wise di- 
ll oo,|| • ||a or II • Id) decorrelation bias it is secure against any d-iterated attack 
performed by any (non-adaptive, adaptive or bidirectional) distinguisher. 

We can plug in (3), (4) and (5) directly into Theorem 1 and get the first 
nontrivial relations known among this norms. 

Corollary 2 

DecP(d(-E)<£ A DecP;^(E)<e ^ I)ecP'^{E o F) < 2e {l + In 

I)ecFi,{E)<e A I)ecFi,{F) < e ^ DecP^(E o F-^) < 2e (l -k In |) . 

The second statement of the corollary now implies that using a block-cipher 
with small 2d-wise decorrelation bias in the oo norm against non-adaptive chosen 
plaintext d-iterated attacks in a cascade (with independent keys, the second 
time in decrypt mode) results in a block cipher which is secure against adaptive 
combined chosen plaintext and ciphertext 2d-iterated attacks. 



6 Conclusions and Open Problems 

It would be interesting to have a similar framework as the one proposed in this 
paper for the computational setting. For example, the computational analog of 
Theorem 2 would state that the cascade of two block-ciphers, each secure against 
non-adaptively chosen plaintext attacks, is secure against adaptive chosen plain- 
text/ciphertext adversaries. 

As already mentioned in the introduction, there is a gap in the order of In j 
between the 0(£ln -) bound proven in Theorems 1 and 2 and an easy to show 
12(e) lower bound for the respective terms. However, Lemmas 6 and 9 can be 
shown to be tight up to a (small) multiplicative constant, so we cannot hope 
to close this gap (i.e. showing an upper bound of 0(e)) by improving on them. 
But trying to find a concrete example (of random systems) for which a matching 
f2{sln^) lower bound can be proven seems promising to us. 
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A Martingales 

In what follows, let Vn "= maxo<j<nV/. The following lemma is known as the 
Kolmogorov-Doob inequality. 

Lemma 11 Let Vb,Vi,... he a sub-martingale sequence where the Vi are non- 
negative. Then, for every n, 



P[K>A]<®. 

Proof of Lemma 7: We restate the lemma for the reader’s convenience: If 
Vq, Vi, ... is a sub-martingale sequence where 0 < V < I for all i, then 

E[K] < E[V„]-(l-ln(E[V„])). 

Let ip{r) denote the function 

r 1 if r < E[Vn] 

t/(r) - E[V„]/r if E[V„] < r < 1 

[ 0 if r > 1 

With Lemma 11 and 0 <Vn < 1 (which follows from 0 < V < 1) we see that 



Vr : P[Vn > r] < tp{r). 
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So we can upper bound E[Ki] as 

/ OO 

V''(r) r dr 

'^[VnW 



' — OO 

/•I 



IE[V„] \ r 

E[y„] 



rdr+ E[Vn] 



rdr+ E[Vn] 

Je[v„] r- 

= -ln(E[K])-E[F„] + E[4^„]. 



□ 



Proof of Lemma 8: We restate the lemma for the reader’s convenience: 
Zi,Z 2 ,... as defined in (2) is a sub-martingale sequence in the random ex- 
periment DOF, i.e., 

Vz>0:E°^F[Z,+i|Zo,...,Z,]>Z„ 

Because the ZQ,...,Zi are determined by XW*, we can prove the (stronger) 
statement 

Vt > 0 : > Z, 

instead. Below the sums over A' x y always apply to the random variables Xi+i 
and li+i- Lemma 1 is used several times. 



= E 

xxy 
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pD pF 

n+iix*+iy" 



max 



pF E ^Xi+i\XiYi 
Xxy ^ 



pF _ pG 

Lf 

^F“+1|X*+1 

pF pF 

/p^ — 0 

S ryi + l|j5^i + l ryi + l|j^i+l , u 
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pO /pD 



1 



pD ^max{P 

'^X-\Yi^Y-\Xi x^y 
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pD pF 

X'\Y''^ Y'\X< 
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E pDOF 

Vjfi+lyi + l 



E pDOG 
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Xxy 



Xxy 
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xir* 
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Abstract. Goldreich and Lindell (CRYPTO ‘01) recently presented the 
first protocol for password-authenticated key exchange in the standard 
model (with no common reference string or set-up assumptions other 
than the shared password). However, their protocol uses several heavy 
tools and has a complicated analysis. 

We present a simplification of the Goldreich-Lindell (CL) protocol 
and analysis for the special case when the dictionary is of the form 
T> = {0, 1}'^, i.e. the password is a short random string (like an ATM 
PIN number). Our protocol can be converted into one for arbitrary dic- 
tionaries using a common reference string of logarithmic length. The 
security bound achieved by our protocol is somewhat worse than the GL 
protocol. Roughly speaking, our protocol guarantees that the adversary 
can “break” the scheme with probability at most 0(poly(n)/|X>|)^^^^, 
whereas the GL protocol guarantees a bound of 0{1/\'D\). 

We also present an alternative, more natural definition of security than 
the “augmented definition” of Goldreich and Lindell, and prove that the 
two definitions are equivalent. 



1 Introduction 

What is the minimal amount of information that two parties must share in order 
to perform nontrivial cryptography? This fundamental question is at the heart 
of many of the major distinctions we draw in cryptography. Classical private- 
key cryptography assumes that the legitimate parties share a long random key. 
Public-key cryptography mitigates this by allowing the sharing of information 
to be done through public keys that need not be hidden from the adversary. 
However, in both cases, the amount of information shared by the legitimate 
parties (e.g. as measured by mutual information) needs to be quite large. Indeed, 
the traditional view is that security comes from the adversary’s inability to 
exhaustively search the keyspace. 

Thus it is very natural to ask: can we do nontrivial cryptography using “low- 
entropy” keys? That is, using a keyspace that is feasible to exhaustively search. 
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In addition to being a natural theoretical question, it has clear relevance to the 
many “real-life” situations where we need security but only have a low-entropy 
key (e.g. an ATM PIN number, or human-chosen password on a website). 

Public- key cryptography provides an initial positive answer to this question: 
key-exchange protocols, as in [10], do not require any prior shared information. 
However, this holds only for passive adversaries, and it is well known that without 
any prior shared information between the legitimate parties, an active adversary 
can always succeed through a person-in-the-middle attack. Thus, it remains an 
interesting question to achieve security against active adversaries using a low- 
entropy shared key. This has led researchers to consider the problem of password- 
authenticated key exchange, which we describe next. 

Password-Authenticated Key Exchange. The password-authenticated key ex- 
change problem was first suggested by Bellovin and Merritt [4] . We assume that 
two parties, Alice and Bob, share a password w chosen uniformly at random from 
a dictionary T> C {0, 1}". This dictionary can be very small, e.g. \T>\ = poly(n), 
and in particular it may be feasible for an adversary to exhaustively search it. 
Our aim is to construct a protocol enabling Alice and Bob to generate a “ran- 
dom” session key K G {0, 1}”, which they can subsequently use for standard 
private-key cryptography. We consider an active adversary that completely con- 
trols the communication channel between Alice and Bob. The adversary can 
intercept, modify, drop, and delay messages, and in particular can attempt to 
impersonate either party through a person-in-the-middle attack. 

Our goal is that, even after the adversary mounts such an attack, Alice and 
Bob will generate a session key that is indistinguishable from uniform even given 
the adversary’s view. However, our ability to achieve this goal is limited by two 
unpreventable attacks. First, since the adversary can block all communication, 
it can prevent one or both of the parties from completing the protocol and 
obtaining a session key. Second, the adversary can guess a random password 
w ^ V and attempt to impersonate one of the parties. With probability 1/|T’|, 
the guess equals the real password (i.e., w = w), and the adversary will succeed in 
the impersonation and therefore learn the session key. Thus, we revise our goal 
to effectively limit the adversary to these two attacks. Various formalizations 
for this problem have been developed through several works [3,15,22,2,7,12]. We 
follow the definitional framework of Goldreich and Lindell [12], which is described 
in more detail in Sec. 2. 

In addition to addressing what can be done with a minimal amount of shared 
information, the study of this problem is useful as another testbed for developing 
our understanding of concurrency in cryptographic protocols. The concurrency 
implicitly arises from the person-in-the-middle attack, which we can view as two 
simultaneous executions of the protocol, one between Alice and the adversary 
and the other between Bob and the adversary. 

The first protocols for the password-authenticated key exchange problem 
were proposed in the security literature, based on informal definitions and heuris- 
tic arguments (e.g. [5,24]). The first rigorous proofs of security were given in the 
random oracle model [2,7]. Only recently were rigorous solutions without ran- 
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dom oracles given, in independent works by Goldreich and Lindell [12] and Katz, 
Ostrovsky, and Yung [16]. One of the main differences between these two pro- 
tocols is that the KOY protocol (and the subsequent protocols of [17,11]) is in 
the “public parameters model,” requiring a string to be generated and published 
by a trusted third party, whereas the GL protocol requires no set-up assump- 
tion other than the shared password. Thus, even though the KOY protocol has 
a number of practical and theoretical advantages over the GL protocol (which 
we will not enumerate here), the GL protocol is more relevant to our initial 
question about the minimal amount of shared information needed for nontrivial 
cryptography. 

The Goldreich- Lindell Protocol. As mentioned above, the Goldreich-Lindell pro- 
tocol [12] is remarkable in that the only set-up assumption it requires is that 
the two parties share a password chosen at random from an arbitrary dictionary. 
Their protocol can be based on general complexity assumptions (the existence 
of trapdoor permutations), can be implemented in a constant number of rounds 
(under stronger assumptions), and achieves a nearly optimal security bound (the 
adversary has probability only 0(l/j27j) of “breaking” the scheme). 

Despite giving such a strong result, the Goldreich-Lindell protocol does not 
leave us with a complete understanding of the password-authenticated key ex- 
change problem. First, the protocol makes use of several “heavy” tools: secure 
two-party polynomial evaluation (building on [19], who observed that this yields 
a protocol for password-authenticated key exchange against passive adversaries), 
nonmalleable commitments (as suggested in [6]), and the specific concurrent 
zero- knowledge proof of Richardson and Kilian [21]. It is unclear whether all of 
these tools are really essential for solving the key exchange problem. Second, the 
proof of the protocol’s security is extremely complicated. Goldreich and Lindell 
do introduce nice techniques for analyzing concurrent executions (arising from 
the person-in-the-middle attack) of two-party protocols whose security is only 
guaranteed in the stand-alone setting (e.g. the polynomial evaluation). But these 
techniques are applied in an intricate manner that seems inextricably tied to the 
presence of the nonmalleable commitment and zero-knowledge proof. Finally, 
finding an efficient instantiation of the Goldreich-Lindell protocol would require 
finding efficient instantiations of all three of the heavy tools mentioned above, 
which seems difficult. In particular, the Richardson-Kilian zero-knowledge proof 
is used to prove an NP statement that asserts the consistency of a transcript 
of the nonmalleable commitment, a standard commitment, and the output of 
an iterated one-way permutation. For such an NP statement, it seems difficult 
to avoid using a generic zero-knowledge proof system for NP, which are almost 
always inefficient due to the use of Gook’s theorem. 

Our Protocol. Our main result is a simplification of the Goldreich-Lindell pro- 
tocol and analysis for the special case when the dictionary is of the form 
T> = {0, 1}'*, i.e. the password is a short random string (like an ATM PIN 
number) . This special case still retains many of the key features of the problem: 
the person-in-the-middle attack and the resulting concurrency issues are still 
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present, and the adversary can still exhaustively search the dictionary (since we 
allow the password length d to be as small as O(logn), where n is the secu- 
rity parameter). Moreover, our protocol can be converted into one for arbitrary 
dictionaries in the common reference string model (using the common reference 
string as the seed of a randomness extractor [20]). For dictionaries V C {0, 1}", 
the common reference string is a uniform string of only logarithmic length (specif- 
ically, 0(logn -|- log jll’l)), and thus retains the spirit of minimizing the amount 
of shared information between the legitimate parties. In contrast, the previous 
protocols in the public parameters model [16,17,11] require a public string of 
length poly(n) with special number-theoretic structure. 

The main way in which we simplify the GL protocol is that we remove the 
nonmalleable commitments and the Richardson-Kilian zero-knowledge proof. In- 
stead, our protocol combines secure polynomial evaluation with a combinatorial 
tool (almost pairwise independent hashing), in addition to using “lightweight” 
cryptographic primitives also used in [12] (one-way permutations, one-time 
MAGs, standard commitments). Our analysis is also similarly simpler. While 
it has the same overall structure as the analysis in [12] and utilizes their tech- 
niques for applying the stand-alone properties of the polynomial evaluation in 
the concurrent setting, it avoids dealing with the nonmalleable commitments and 
the zero-knowledge proof (which is the most complex part of the GL analysis). 

Removing the nonmalleable commitments and the RK zero-knowledge proof 
has two additional implications. First, finding an efficient implementation of 
our protocol only requires finding an efficient protocol for secure polynomial 
evaluation (in fact, only for linear polynomials).^ Since this is a highly structured 
special case of secure two-party computation, it does not seem beyond reach 
to find an efficient protocol. Indeed, Naor and Pinkas [19] have already given 
an efficient polynomial evaluation protocol for passive adversaries. Second, our 
protocol can be implemented in a constant number of rounds assuming only the 
existence of trapdoor permutations, whereas implementing the Goldreich-Lindell 
protocol in a constant number of rounds requires additional assumptions, such 
as the existence of claw- free permutations (for [21]) and some sort of exponential 
hardness assumption (to use [1]). 

We note that the security bound achieved by our protocols is somewhat 
worse than in previous works. Roughly speaking, our protocol guarantees that 

the adversary can “break” the scheme with probability at most O ^ ) > 

whereas previous works guarantee a bound of 0{\/\'D\). 

An additional result in our paper involves the definition of security in [12]. 
As pointed out by Rackoff (cf., [2]), it is important that a key exchange protocol 
provide security even if the party who completes the protocol first starts using 
the generated key in some application before the second party completes the 
protocol. In order to address this issue, Goldreich and Lindell [12] augmented 

^ Actually, we require a slightly augmented form of polynomial evaluation, in which 
one of the parties commits to its input beforehand and the protocol ensures consis- 
tency with this committed input. 
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their definition with a “session-key challenge”, in which the adversary is given 
either the generated key or a uniform string with probability 1/2 upon the 
first party’s completion of the protocol. We present an arguably more natural 
definition that directly models the use of the generated key in an arbitrary 
application, and prove its equivalence to the augmented definition of Goldreich 
and Lindell [12]. (This result is analogous to the result of Shoup [22] for non- 
password-based key exchange protocols.) 

2 Definition of Security 

We adopt the notation of Goldreich and Lindell and refer the reader to [12] for 
more details. 

— C denotes the probabilistic polynomial time adversary through which the 

honest parties A and B communicate. We model this communication by 
giving C oracle access to a single copy of A and a single copy of B. Here the 
oracles A and B have memory and represent honest parties executing the 
session-key generation protocol. We denote by {u) an execution 

of C with auxiliary input a when it communicates with A and B, with 
respective inputs x and y. The output of the channel C from this execution 
is denoted by output 

— The security parameter is denoted by n. The password dictionary is denoted 
by T’ C { 0 , 1 }” and we write e = 

We denote by [/„ the uniform distribution over strings of length n, by neg(n) a 
negligible function and write x A S' when x is chosen uniformly from the set S. 

For a function 7 : IN — >■ [0, 1], we say that the probability ensembles {Xn} 

'y 

and {Yn} are (1 — -indistinguishable (denoted by {Xn} = {T„}) if for every 
nonuniform PPT distinguisher D and all n, 

I Pr \D{Xn) = 1] - Pr [D{Yn) = 1] | < lin) + neg(n) . 

We say that {Xn} and {Y„} are computationally indistinguishable, which we 
denote by Xn ^ Yn, if they are 1-indistinguishable. We say that {Xn} is (1 — 7 ) 
pseudorandom if it is (1 — 7 ) indistinguishable from [/„. 

We will now formalize the problem of session-key generation using human 
passwords. We first follow the presentation of the problem as in [12] and then 
contrast it with our definition. 



2.1 The Initial Definition 

The definition in [12] follows the standard paradigm for secure computation: 
define an ideal functionality (using a trusted third party) and require that every 
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adversary attacking the real protocol can be simulated by an ideal adversary 
attacking the ideal functionality. Note that in the real protocol, the active ad- 
versary C can prevent one or both of the parties A and B from having an output. 
Thus, in the ideal model, we will allow Cideai to specify two input bits, dec^ and 
dec^, which determine whether A and B obtain a session key or not. 

Ideal model. Let A, B be the honest parties and let Cideai be any PPT ideal 
adversary with auxiliary input a. 

1. A and B receive w ^T>. 

2. A and B both send w to the trusted party. 

3. (Pideai sends (decp,decp) to the trusted party. 

4. The trusted party chooses K A {0, 1}”. For each party i G {A, B}, the 
trusted party sends K if dec^ = 1 and sends T if dec^ = 0. 

The ideal distribution is defined by: 

IDEALcide,i(T>,CT) = (w,output(A),output(B),output(Cideai(o-))) ■ 

Real model. Let A, B be the honest parties and let C be any PPT real adver- 
sary with auxiliary input a. 

At some initialization stage, A and B receive w ^T>. The real protocol is 
executed by A and B communicating via C. We will augment C"s view of 
the protocol with A and B's decision bits, denoted by dec^ and decs, where 
dec /I = reject if output(A) = T, and dec^ = accept otherwise (decs is 
defined similarly). (Indeed, in typical applications, the decisions of A and 
B will be learned by the real adversary C: if A obtains a session key, then 
it will use it afterwards; otherwise, A will stop communication or try to 
re-initiate an execution of the protocol.) C”s augmented view is denoted by 

output(C'^(“)>^(“’H'^))- 

The real distribution is defined by: 

REALc(T’,cr) = (■u;,output(A),output(i3),output(C''^^’"^’^^“'^((T))) . 

One might want to say that a protocol for password-based session-key gener- 
ation is secure if the above ideal and real distributions are computationally in- 
distinguishable. Unfortunately, as pointed in [12], an active adversary can guess 
the password and successfully impersonate one of the parties with probability 
This implies that the real and ideal distributions are always distinguishable 
with probability at least . Thus we will only require that the distributions be 
distinguishable with probability at most 0 ( 7 ) where the goal is to make 7 as 
close to as possible. In the case of a passive adversary, we require that the real 
and ideal distributions be computationally indistinguishable (for all subsequent 
definitions, this requirement will be implicit). 

Definition 1 (Initial definition). A protocol for password-based authenticated 
session-key generation is (1 — 7 )-secure for the dictionary T> C {0, 1}" (where 7 
is a function of the dictionary size \T>\ and n) if: 
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1. For every reaZ passive adversary, there exists an ideal adversary Cideai which 
always sends (1,1) to the trusted party such that for every auxiliary input 
a G 

{IDEALc.,,,p.^)}<. ^ {REALc(P,a)}. . 

2. For every real adversary C, there exists an ideal adversary Cideai such that 
for every auxiliary input a G {0, 1 }p°C(«)^ 

0(7) 

{IDEALc,,,.,(P,a)}, = ^ {REALcp, a)}, . 

By the discussion above, the best we can hope for is 7 = |^. Note that 
in [12], their definition and protocol refer to any dictionary T> C {0, 1}" and 
7 = 1 ^. In contrast, our protocol will be (1 — 7 )-secure for dictionaries of the 

form V = {0, 1}'* and 7 = ^ ^ 



2.2 Augmented Definitions 

The above definition is actually not completely satisfying because of a subtle 
point raised by Rackoff: the adversary controls the scheduling of the interactions 
{A, C) and (C, B) so the honest parties do not necessarily end at the same time. 
A might use its session key Ka before the interaction (C, B) is completed: A’s 
use of Ka leaks information which C might use in its interaction with B to learn 
Ka, Kb or the password w. 

In [12], Goldreich and Lindell augment the above definition with a session- 
key challenge to address this issue. Suppose that A completes the protocol first 
and outputs a session key K, then the adversary is given a session-key challenge 
K/s, which is the session key K with probability 1/2 (i.e. /3 = 1) or a truly 
random string Kq with probability 1/2 (i.e. /? = 0). The adversary C will be 
given the session-key challenge in both the ideal and real models, as soon as 
the first honest party outputs a session-key K. We call the resulting definition 
security with respect to the session-key challenge. 

Goldreich and Lindell give some intuition as to why the session-key challenge 
solves the above flaw. First, note that the ideal adversary cannot distinguish 
between the case /? = 0 and the case /3 = 1 since in the ideal model, both Kq 
and K are truly uniform strings. Gonsider the real adversary who has been 
given the session- key challenge: if C has been given Kq, then the session- key 
challenge does not help C in attacking the protocol, since C could generate Kq 
on its own. Suppose that instead C has been given K and can somehow use 
it to attack the protocol (this corresponds to the situation where A uses the 
session key K; C{K) can simulate A’s use of the key), then it would mean that 
C can tell if it is in the case /? = 0 or /3 = 1, which is not possible if the protocol 
is secure with respect to the session- key challenge. 
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Our intuitive notion of security is that no matter how A uses its session 
key K before the execution (C, B) is completed, the ideal and real distributions 
should be (1 — 0(7))-indistinguishable. Even with the above intuition, it is not 
immediate that the session-key challenge fully captures this goal. Thus we pro- 
pose an alternative augmentation to Definition 1 that corresponds more directly 
to this goal. 

We model the different ways the party A could use its session key K by con- 
sidering an arbitrary probabilistic polynomial time machine Z which is given the 
key K (as soon as A outputs a session key K) and interacts with the adversary 
in both the ideal and real models. This is similar to the “application” queries 
in Shoup’s model for (non-password-based) secure key exchange [22], which was 
later extended to password protocols in [7]. Z can also be thought of in terms 
of “environment” as in the definition of universal composability by Canetti [8] : 
Z models an arbitrary environment (or application) in which the key generated 
by the session-key generation protocol is used.^ 

Examples of environments follow: 

1. Z{K) = A: A does not use its session key. 

2. Z{K) = K: A publicly outputs its session key. 

3. Z{K) = K with probability 1/2, [/„ with probability 1/2. This corresponds 
to the session-key challenge. 

4. Z{K) = Enc/f (0"): A uses its session-key for secure private-key encryption. 

5. C sends a query mi, Z{K) answers with EncK(mi), C sends a query m2, 
Z{K) answers with Enc/f (m2) and so on. A uses its key for encryption and 
the adversary is mounting a chosen plaintext attack. 

We call the definition obtained by adding (in both the ideal and real models) 
the environment Z security with respect to the environment. Informally, a real 
protocol is secure with respect to the environment if every adversary attacking 
the real protocol and interacting with an arbitrary environment can be simulated, 
with probability 1 — 0(7), by an ideal adversary attacking the ideal functionality 
and interacting with the same environment in the ideal model. (More precisely, 
for every real adversary, there should be a single ideal adversary that simulates 
it well for every environment.) 

Note that security with respect to the environment implies security with 
respect to the session-key challenge since it suffices to consider the PPT Z{K) 
which generates (D A {0, 1} and outputs the key if if /3 = 1 or a truly random 
string Kq if /3 = 0. We show that the two definitions are actually equivalent: 

Theorem 2. A protocol (A,B) is (1 — ^)-secure with respect to the session-key 
challenge iff it is (1 — ^)-secure with respect to the environment. 

This is similar to a result of Shoup [22] showing the equivalence of his def- 
inition and the Bellare-Rogaway [3] definition for non-password-based key ex- 
change. The “application” queries in Shoup’s definition are analogous to our 

^ Note that this is not as general as the definition of Canetti since the environment Z 
is only given the session key and not the password w. 
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environment Z , and the “test” queries in [3] are analogous to the session-key 
challenge. Though both of these definitions have been extended to password- 
authenticated key exchange [7,2], it is not immediate that Shoup’s equivalence 
result extends directly to our setting. For example, the definitions of [3,2] are not 
simulation-based and do not directly require that the password remain pseudo- 
random, whereas here we are relating two simulation-based definitions that do 
ensure the password’s secrecy. 

Given Theorem 2, the relationship between security with respect to the en- 
vironment and security with respect to the session-key challenge is analogous 
to the relationship between semantic security and indistinguishability for en- 
cryption schemes [14,18]. Though both are equivalent, the former captures our 
intuitive notion of security better, but the latter is typically easier to establish for 
a given protocol (as it involves only taking into account a specific environment 
Z). 

3 An Overview of the Protocol 

Before presenting our protocol, we introduce the polynomial evaluation function- 
ality, which is an important tool for the rest of the paper. In [19], it is observed 
that a secure protocol for polynomial evaluation immediately yields a protocol 
for session-key generation which is secure against passive adversaries. In [12], 
Goldreich and Lindell work from the intuition (from [6]) that by augmenting a 
secure protocol for polynomial evaluation with additional mechanisms, one can 
obtain a protocol for session-key generation which is secure against active ad- 
versaries. Our protocol also comes from this intuition but the additional tools 
we are using are different. 

3.1 Secure Polynomial Evaluation 

In a secure polynomial evaluation, a party A knows a polynomial Q over some 
field F and a party B wishes to learn the value Qix) for some element x G F such 
that A learns nothing about x and B learns nothing else about the polynomial 
Q but the value Q{x). More specifically, for our problem, we will assume that 
F = GF(2") « {0, 1}", (5 is a linear non-constant polynomial over F, and x is 
a string in {0, 1}". 

Definition 3 (Polynomial evaluation). The polynomial evaluation function- 
ality is defined as: 

Inputs The input of A is a linear non-constant polynomial Q over GF(2"). The 
input of B is a value x G GF(2"). 

Outputs B receives Q{x). A receives nothing. 

As observed in [19], a secure protocol for polynomial evaluation yields im- 
mediately a protocol for session-key generation which is secure against passive 
adversaries as follows: A chooses a random linear non-constant polynomial Q, 
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and A and B engage in a secure polynomial evaluation protocol, where A inputs 
Q and B inputs w, so that B obtains Q(w). Since A has both Q and w, A can 
also obtain Q(w), and the session key is set to be iiT = Q{w). 

This protocol is secure against passive adversaries because the key K is a 
random string (since Q is a random polynomial), and it can be shown that 
an eavesdropper learns nothing about w or Q{w) (due to the security of the 
polynomial evaluation) . 

However, the protocol is not secure against active adversaries. For example, 
an active adversary C can input a fixed polynomial Qc in its interaction with B, 
say the identity polynomial id, and a fixed password wc in its interaction with 
A. A outputs the session key Qa{w) and B outputs the session key Qc{w) = w. 
With probability 1— 2“", the two session keys are different, whereas the definition 
of security requires them to be equal with probability 1 — 0 ( 7 ). 

3.2 Motivation for Our Protocol 

The main deficiency of the secure polynomial evaluation protocol against active 
adversaries is that it does not guarantee that A and B output the same random 
session key. Somehow, the parties have to check that they computed the same 
random session key before starting to use it. It can be shown that H’s session 
key Ka = Qa{w) is pseudorandom to the adversary, so A can start using it 
without leaking information. However, B cannot use its key Kb = Qc(w) 
because it might belong to a set of polynomial size (for example, if Qc = id, 
then Qc{w) G V where the dictionary is by definition a small set). Hence 
Goldreich and Lindell added a validation phase in which A sends a message 
to B so that B can check if it computed the same session key, say A sends 
/^{Ka) where / is a one-way permutation. Since /" is a 1-1 map, this uniquely 
defines Ka (the session key used now consists of hardcore bits of P{Ka), for 
i = 0,---,n — 1) : B will compute /"'{Kb) and compare it with the value it 
received. 

But it is still not clear that this candidate protocol is secure. Recall that the 
security of the polynomial evaluation protocol applies only in the stand-alone 
setting and guarantees nothing in the concurrent setting. In particular, it might 
be that C inputs a polynomial Qc in the polynomial evaluation between C and 
B such that the polynomials Qa and Qc are related in some manner, say for 
any w G V, it is easy to compute the correct validation message f^"{Qc{w)) 
given the value of /‘^"{Qa{w))-, yet B's key does not equal H’s key. 

To prevent this from happening, Goldreich and Lindell force the polynomial 
Q input in the polynomial evaluation phase to be consistent with the message 
sent in the validation phase (which is supposedly f^"{Q{w))). The parties have 
to commit to their inputs at the beginning and then prove in a zero-knowledge 
manner that the messages sent in the validation phase are consistent with these 
commitments. Because of the person-in-the-middle attack and the concurrency 
issues mentioned earlier, Goldreich and Lindell cannot use standard commitment 
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schemes and standard zero-knowledge proofs but rather they use nonmalleable 
commitments and the specific zero-knowledge proof of Richardson and Kilian. 

Our approach is to allow C to input a polynomial Qc related to Qa, but 
to prevent C from being able to compute a correct validation message with 
respect to B's session-key, even given A’s validation message. Suppose that 
the parties have access to a family of pairwise independent hash functions 'H. 
In the validation phase, we require A to send h{f^^{KA)) = /i(/^"(Q^(w))) 
for some function h ?-%. Then, even if Ka = Qa{w) and Kb = Qc{w) are 
related (but distinct), the values h{p'^{KA)) and h{p^{KB)) will be indepen- 
dent and C cannot do much better than randomly guess the value of h{p'^ {K b)) ■ 

One difficulty arises at this point: the parties have to agree on a common 
random hash function h But the honest parties A and B only share the 

randomness coming from the password w so this password w has to be enough 
to agree on a random hash function. To make this possible, we assume that the 
password is the form (w,w') where w and w' are chosen independently of one 
another: w is chosen at random from an arbitrary dictionary T> C {0, 1}" and w' 
is uniformly distributed in V = {0, . (For example, these can be obtained by 

splitting a single random password from {0, 1}"^ into two parts.) The first part 
of the password, w, will be used in the polynomial evaluation protocol whereas 
the second part of the password, w', will be used as the index of a hash function. 
Indeed, if we assume that T>' = {0, , there exists a family of almost pairwise 

independent hash functions T~L = {h ■. {0, 1}” — >■ {0, 1}™}, where each hash 
function is indexed by a password w' G T>' and m = fi{d!). 

We formalize these ideas in the protocol described below. 

3.3 Description of the Protocol 

Like in [12], we will need a secure protocol for an augmented version of polyno- 
mial evaluation. 

Definition 4 (Augmented polynomial evaluation). The augmented poly- 
nomial evaluation functionality is defined as: 

Earlier phase. A sends a commitment ca = Commit (Q^, r a) to a linear non- 
constant polynomial Qa for a randomly chosen va- B receives a commitment 
cb- We assume that the commitment scheme used is perfectly binding and 
computationally hiding. 

Inputs. The input of A is a linear non-constant polynomial Qa, a commit- 
ment CA to Qa and a corresponding decommitment rA ■ The input of B is a 
commitment cb and a value x € GF(2"). 

Outputs. 

~ In the case of correct inputs, i.e. ca = cb and ca = Commit(QA, ?"a); 

B receives Qa{x) and A receives nothing. 

— In the case of incorrect inputs, i.e. ca ^ cb or ca ^ Commit((5A, ?"a); 
B receives a special failure symbol T and A receives nothing. 
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The other cryptographic tools we will need are: 

Commitment scheme: Let Commit be a perfectly binding, computationally 
hiding string commitment. 

Seed-committed pseudorandom generator: Similarly to [12], we will use 
the seed-committed pseudorandom generator 

G{s) = {b{s)b{f{s)) ■ ■ ■ b{r+^-^{s))r+\s)) 

where / is a one-way permutation with hardcore bit b. 

One-time MAC with pseudorandomness property: Let MAC be a mes- 
sage authentication code for message space {0, (for a polynomial p{n) 

to be specified later) using keys of length £ = £(n) that is secure against one 
query attack, i.e. a PPT A which queries the tagging algorithm MACjy on 
at most one message of its choice cannot produce a valid forgery on a differ- 
ent message. Additionally, we will require the following pseudorandomness 
property: 

— Let A be a uniform key of length £. 

— The adversary queries the tagging algorithm MAC/c on the message m 
of its choice. 

— The adversary selects m' ^ m. We require that the value MAC/c(m') be 
pseudorandom with respect to the adversary’s view. 

Two examples of such a MAC are: 

— MACs(m) = /s(m) where {/s}sg{o,i}': is a pseudorandom function fam- 
ily 

— MACa,&(m) = am + b where £{n) = 2p(n) and a, 6 G GF(2^/^). 

Almost pairwise independent hash functions: The family of functions 
T~L = {hyj' : {0, 1}" — >■ {0, l}"^}„,/g{o i}**' i® ®^i*l i'® 1^® pairwise 6-dependent 
or almost pairwise independent if: 

1. (uniformity) Vx G {0, 1}", when we choose w' ^ {0, , hw'{x) is uni- 
form over {0, 1}’”. 

2. (pairwise independence) Vxi X 2 G {0, l}",Vj/i,j /2 G {Oj I}'"? when we 

choose w' A {0, , 

Pr [h^'ixi) =yi A hy,,{x 2 ) = 1 / 2 ] = ■ 

We also require that for a fixed w' G {0, , the function h^> is regular, i.e. 

it is to 1. In other words, hw'{Un) = Um- Throughout this paper, we 

. def 

write p = 1 ^. 

Lemma 5. For the fixed dietionary V = {0, 1}'^ C {0, 1}", there exists a 
family of almost pairwise independent hash funetions H = {h^' ■ {0, 1}" -A 
for p = 

The formal description of the protocol follows. A schematic diagram of the 
protocol is given in Fig. 1. 
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Protocol 6. 1. Inputs: The parties A and B have a joint password {w,w') 

where w and w' are chosen independently: w is chosen at random from an 
arbitrary dictionary T> C {0, 1}" and w' is uniformly distributed in 2?' = 
{0,1}'^' C{0,1}". 

2. Commitment: A chooses a random linear non-constant polynomial Qa 
over GF(2”) and coin tosses va and sends ca = Commit ta)- B receives 
some commitment cb- 

3. Augmented polynomial evaluation: 

a) A and B engage in a polynomial evaluation protocol: A inputs the poly- 
nomial Qa, the commitment ca and the coin tosses ta it used for the 
commitment; B inputs the commitment cb it received and the password 
w seen as an element of Gi^(2”). 

b) The output of B is denoted IIb, which is supposed to be equal to Qa{w). 

c) A internally computes Ua = Qa{w)- 

4. Validation: 

a) A sends the string yA = hw> {II a)) ■ 

b) Let tA be the session transcript so far as seen by A. A computes ki{IlA) = 
b{IlA) ■ ■ ■ b{f~^{IlA)) and sends the string za = MACfc^(77^)(tA)- 

5. Decision: 

a) A always accepts and outputs k 2 {IlA) = b{f^{IlA)) ■ ■ ■ b{f^^^~^{IlA)) 

b) B accepts (this event is denoted by decs = accept) if the strings yB 
and Zb it received satisfy the following conditions : 

- VB = h,,,{r+^{nB)) 

— Verfcj^(77g)(ts, Zb) = accept, where Ib is the session transcript so far 
as seen by B and fci(7Ts) is defined analogously to fci(TTA). 

If IIb = -L, then B will immediately reject. If B accepts, it outputs 
k2{nB) = b{f{nB)) ■ ■ • b{f+^-\nB)). 



4 Security Theorems 

Theorem 7. Protocol 6 is secure for the dictionary VxV = T>x{0, 1}'^ against 
passive adversaries. More formally, for every passive PPT real adversary C, 
there exists an ideal adversary Gideai which always sends (dec^,dec^) = (1,1) 
to the trusted party such that for every auxiliary input u € {0, 1 }p°N(«) ; 

{IDEALc,,,,.(P X V', a)}^ = {REALc(P x V', a)}^ . 



Theorem 8. Protocol 6 is {1—j) -secure with respect to the session-key challenge 



for the dictionary V xV = 2?x {0, 1}'^ , for 7 = max 
r . / / \ i/6\ I 



( poly(n) ^ 



\V\’\ I'D 



. More 



precisely, 7 = max 
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A has (w, w') and picks a random Qa B has {w, w') 



Commitment ca = Commit((5yi, ta) 



cb 



Qa,ca,va 



nA = QA(w) 



Secure polynomial evaluation 



Hasht/A = ^(r+'^(i7A)) 

def 

MAC of transcript za = MACfcj(/ 7 yi) (t>i) 



w 

Bb 



Vb 

Zb 



Output key A:2(4 Ia) 



Accept if hb = h^> {n b)) 

& Verfcj( 77 ^)(ts, 2 ;s) = accept 
If accept, output key fe 2 (ilB) 

Fig. 1. Overview of our protocol 



The shared dictionary of the form 2? x {0, 1}'^ required in Theorem 8 can be 
realized from several other types of dictionaries T>" , achieving security bounds 
of the form (poly(n)/|P"|)^(i) in all cases: 

Single Random Password 

We can split a single random password from a dictionary T>” = {0, 1}"^ into 
two parts, one of length d and one of length d' . 

Arbitrary Password with Common Random String 

We can convert a password from an arbitrary dictionary T)" C {0,1}” 
into a single random password (as in the previous bullet) in the com- 
mon random string model. Specifically, we view the common random string 
r G {0, 1}^ as the seed for a randomness extractor Ext : (0, 1}” x (0, 1}^ —>■ 
{0,1}'^ [20]. Given password w G- V" , the honest parties can compute 

an (almost-uniform) password Ext (■u;,r). Using the low min-entropy ex- 
tractors of [13,23], the length of the common random string need only be 
(, = 0(logn -I- log \V"\). (Unlike the protocols of [12] and [16], this requires 
knowing a lower bound on the size of the dictionary 12?"].) 

Two Independent Passwords 

If the parties share two independent passwords wi , W 2 coming from arbitrary 
dictionaries 2 ?", 2?2 C {0, 1}", then they can apply an extractor for 2 inde- 
pendent weak random sources [9] to convert these into an almost-uniform 
password. Unfortunately explicit constructions for 2-source extractors are 
only known when ]2?"j • ] 2?2 | > 2", but nonconstructively there exist 2-source 
extractors that would only require the dictionaries to be of size poly(n). 
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5 Overview of the Proof 



Like in [12], the main part of the proof of Theorem 8 is the key-match property. 
if IIa yf Ubj then B will reject with probability 1 — 0(7). Once the key-match 
property is established, we can easily adapt the proofs in [12] to our specific 
protocol to build an ideal adversary which simulates the real adversary’s view. 

The main part of our proof that is new (and simpler than [12]) is the key- 
match property. As noted in the introduction, the adversary C has total control 
over the scheduling of the two interactions {A, C) and (C, B) . Hence the key- 
match property will be proved for every possible scheduling case, including those 
for which these interactions are concurrent. Nevertheless, the key-match property 
will be established by tools of secure two-party computation, which a priori only 
guarantee security in the stand-alone setting. 

Recall that B accepts iff two conditions are satisfied: the string ys received 
must equal and the MAC zb received must be a valid MAC, 

i.e. Ver^,,^(77g) (ts, Zb) = accept. Hence, to establish the key-match property, we 
can omit the verification of the MAC by B and only consider the probability 
that C succeeds in sending the value hw' {B b)) when Ua ^ Bb- (Like in 
[12], the MAC is only used to reduce the simulation of active adversaries to the 
simulation of passive adversaries plus the key-match property.) 

We consider two scheduling cases (see Figures 2 and 3): 

Scheduling 1 : C sends the commitment cb to B after A sends the hash value 
VA- 

The intuition for this case is that we have two sequential executions (A, C) 
and (C, B). Using the security of the polynomial evaluation (A, C), we show 
that even if C receives yA, the hash index w' is (1 — e) pseudorandom with 
respect to the adversary’s view. Hence, by the uniformity property of the 
hash functions, C cannot do much better than randomly guess the value of 

h^>ir+HBB)). 

Scheduling 2 : C sends the commitment cb to B before A sends the hash value 
VA- 

The almost pairwise independence property means that for fixed values x\ yf 
X 2 G {0, 1}", if the index w' is chosen at random and independently of xi and 
X 2 , then given the value hj^r^Xi), one cannot do much better than randomly 
guess the value h^/{x 2 ). Before yA is sent, the hash index w' is random (since 
it has not been used by A). Thus, if we show that the values Ba and Bb can 
be computed before yA is sent, then w' is independent of xi = f^~^^{BA) 
and X 2 = /"’’’^(Hb) and the adversary cannot guess hw'{x 2 ) even given 
yA = hw'{x\). To show that Ba and Bb can be computed before yA is 
sent, we use an ideal augmented polynomial evaluation (C, B) to extract an 
opening of the adversary’s commitment cb- (The adversary must input such 
an opening in the ideal evaluation, else B will reject.) 
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A{Qa,w,w') 



Qa, ca, va 



Ha "Qa(w) 



A{Qa,w,w') 



Qa, ca, va 



Ha = Qa(w) 



C 



B(w, w') 



CA = Commit(Qyi,rA) 



Polynomial 

evaluation 



YA 



K Cb 



< W 

Polynomial 

evaluation 

^ TIb 



Vb 



Fig. 2. First scheduling 



C 



B(w, w') 



CA = Commit(QA,rA) 



Polynomial 

evaluation 



YA 



Cb 






Polynomial 

evaluation 



Vb 



w 



Bb 



Fig. 3. Second scheduling 
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Abstract. We present a constant round protocol for Oblivious Transfer 
in Maurer’s bounded storage model. In this model, a long random string TZ 
is initially transmitted and each of the parties interacts based on a small 
portion of TZ. Even though the portions stored by the honest parties are 
small, security is guaranteed against any malicious party that remembers 
almost all of the string TZ. 

Previous constructions for Oblivious Transfer in the bounded storage 
model required polynomially many rounds of interaction. Our protocol 
has only 5 messages. We also improve other parameters, such as the 
number of bits transferred and the probability of immaturely aborting 
the protocol due to failure. 

Our techniques utilize explicit constructions from the theory of derando- 
mization. In particular, we use constructions of almost t-wise indepen- 
dent permutations, randomness extractors and averaging samplers. 



1 Introduction 

Oblivious transfer (OT) is one of the fundamental building blocks of modern 
cryptography. First introduced by Rabin [RabSl], oblivious transfer can serve 
as a basis to a wide range of cryptographic tasks. Most notably, any multi-party 
secure computation can be based on the security of OT. This was shown for 
various models in several works (cf. [Yao86,GMW87,Kil88]). 

Oblivious transfer has been studied in several variants, all of which were 
eventually shown to be equivalent. In this paper we consider the one-out-of-two 
variant of OT by Even, Goldreich ad Lempel [EGL85], which was shown to be 
equivalent to Rabin’s variant by Grepeau [Gre87]. 

^ Part of this work done while at the Weizmann Institute of Science, Israel. 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 446-472, 2004. 
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One-out-of-two OT is a protocol between two players, Alice holding two 
secrets sq and si, and Bob holding a choice bit c. At the end of the protocol Bob 
should learn the secret of his choice (i.e., Sc) but learn nothing about the other 
secret. Alice, on the other hand, should learn nothing about Bob’s choice c. 

Traditionally, constructions for OT have been based on strong computatio- 
nal assumptions. Either specific assumptions such as factoring or Diffie Heilman 
(cf. [Rab81,BM89,NP01]) or generic assumption such as the existence of en- 
hanced trapdoor permutations (cf. [EGL85,Gol03,GKM-|-00]). In contrast, OT 
cannot be reduced in a black box manner to presumably weaker primitives such 
as one-way functions [IR89]. 

This state of affairs motivates the construction of OT in other types of setups. 
Indeed, protocols for OT were suggested in different models such as under the 
existence of noisy channels [GK88] or quantum channels [BBGS92]. In this work 
we follow a direction initiated by Gachin, Grepeau and Marcil [GGM98] and 
construct OT in the Bounded Storage model. 



1.1 The Bounded Storage Model 

In contrast to the usual approach in modern Gryptography, Maurer’s bounded 
storage model [Mau92,Mau93] bounds the space (memory size) of dishonest play- 
ers rather than their running time. 

In a typical protocol in the bounded storage model a long random string TZ 
of length N is initially broadcast and the interaction between the polynomial- 
time participants is conducted based on a short portion of TZ.^ What makes such 
protocols interesting is that, even though the honest players store only a small 
fraction k « N oi the string TZ, security is guaranteed even against dishonest 
players with space K where k « K < N . Moreover, dishonest players are 
not restricted to be computationally bounded (This is formalized by allowing 
dishonest players to choose an arbitrary memory function g* : {0, 1}'^ — >■ {0, 1}^, 
and store g*(TZ). From that moment on, they are not bounded in any way). 
Naturally, we’d like to maximize K and minimize k. In this paper we have 
K = vN for an arbitrary constant v <1 and k will be about . 

The bounded storage model has two appealing properties: (1) The security 
obtained is information theoretic and thus everlasting in the sense that secu- 
rity is guaranteed even if adversaries acquire infinite space after the protocol 
is executed. (2) Protocols in the bounded storage model need not rely on any 
assumption except the limitation on the storage capabilities of the adversary. 

The latter property should be contrasted with traditional works in Grypto- 
graphy in which, besides bounding the adversary’s computational capabilities, it 
is also required to rely on unproven hardness assumptions (such as the existence 
of enhanced trapdoor permutations, or the hardness of factoring large integers) . 

^ One possible implementation is that TZ is broadcast at a very high rate by a trusted 
party. Another possibility is to have TZ transmitted from a satellite. We remark that 
in our protocol (as in many previous ones) one of the parties can transmit these bits. 
Furthermore, the assumption that TZ is uniformly distributed can be relaxed and it 
is sufficient that TZ has high min-entropy. 




448 Y.Z. Ding et al. 



We mention that most of the previous work on the bounded storage mo- 
del concentrated on private key encryption [Mau92,CM97,AR99,ADR02,DR02, 
DM02,Lu02,Vad03] and key agreement [Mau93,CM97]. 

1.2 Oblivious Transfer in the Bounded Storage Model 

A protocol for OT in the bounded storage model was given in [CCM98]. This 
protocol requires k « and allows K = vN for an arbitrary constant v < 1. 
The error e in this protocol is rather large e = (Loosely speaking the 

error e measures the probability that a dishonest receiver with storage bound K 
learns both secrets.) 

A modified protocol with smaller error e and smaller space k was given in 
[DinOl]. For every constant c > 0, it achieves k = and e = 2“^ where 

c' > 0 is a constant that depends on c. We mention that the security of [DinOl] 
is proven in a slightly different (and weaker) model, where it is assumed that two 
random strings TZ\ , 77-2 of length 6K are transmitted one after the other and the 
bounded receiver chooses what to remember about 77-2 as a function of what he 
remembers about TZi. The work of [DinOl] was subsequently extended to deal 
with one-out-of-A: OT for any small constant fc > 2 in [HCR02].^ 

All protocols mentioned above require a lot of interaction. Specifically, for 
e = they require the exchange of messages between the two players. 

1.3 Our Results 

We give a constant round OT protocol in the bounded storage model. Our pro- 
tocol uses 5 messages following the transmission of the random string TZ. We 
achieve parameters k and e similar to that of [DinOl] (that is, for every c > 0 
there exist c' > 0 such that our protocol has k = 7^1/2+'= and e = 2“^ ) while 
working in the stronger model of [CCM98] . Similar to [CCM98] we can achieve 
K = vN for an arbitrary constant ly < 1. 

In addition to being constant round our protocol also achieves the following 
improvements over [CCM98, DinOl]: 

— The previous protocols are designed to transfer secrets in {0, 1}. Thus, trans- 

ferring long secrets requires many messages. Our protocol can handle secrets 
of length in one execution. 

— The previous protocols abort unsuccessfully with probability 1 /2 even if both 
players are honest. Our protocol aborts only with probability 2“* ^ ' . 

— For error e = 2“^ , the number of bits communicated in the two pre- 

vious protocols is at least . In contrast, for error e = 2“^ our protocol 
communicates only 0{k^) bits. 

We also give a precise definition for the security of oblivious transfer in the 
bounded storage model, and point out difficulties arising when trying to consider 
the more standard notion of a “simulation based” definition. 

^ We note that a similar extension can be easily applied to our work. 
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1.4 Interactive Hashing 

An important building block in the OT protocol is a construction of a constant 
round 2-to-l interactive hashing protocol for unbounded parties. Loosely spea- 
king, in such a protocol Bob holds an input W G {0, 1}"*, and Alice and Bob 
want to agree on a pair Wq, Wi such that Wj, = W for some d G {0, 1}, yet Alice 
does not know d. It is also required that a dishonest Bob cannot “control” both 
Wo and Wi. (See Section 5 for a precise definition.) 

As observed in [CCM98], the protocol of Naor, Ostrovsky, Venkatesan and 
Yung [NOVY98] (originally used in the context of perfectly-hiding commitments) 
achieves 2-to-l interactive hashing. One major drawback of the NOVY protocol, 
however, is that it requires m rounds of interaction. In this paper we give a new 
4-message protocol for 2-to-l interactive hashing that can be used to replace 
the NOVY protocol in the context of oblivious transfer in the bounded-storage 
model. Our protocol relies on a construction of almost t-wise independent per- 
mutations, such as the construction presented by Gowers in [Gow96]. 

Organization. Due to space limitation, some of the details and proofs have been 
omitted from this version. In Section 2 we present an overview of the techniques 
that were utilized to achieve our results. Some preliminary definitions are given 
in Section 3. Section 4 provides a definition of OT in the bounded storage model. 
In Section 5 we define and state our theorem regarding interactive hashing. The 
OT protocol is presented in Section 6. Sections 7, 8 and 9 give a high level 
analysis of the protocol. Gonclusions and open problems are in Section 10. 



2 Overview of the Technique 

As motivation for our protocol, we begin by suggesting a simple protocol for OT 
in the bounded storage model which is bad in the sense that it requires large 
storage from the honest parties: Alice is required to store all of the string TZ 
and Bob is required to store half this string. We partition the N bit long string 
TZ into two equally long parts TZo,TZ\ of length N/2. Recall that Alice has two 
secrets so,si and Bob has a “choice bit” c and wants to obtain Sc- Bob will 
choose which of the two parts TZo,TZ\ to store depending on his “choice bit” c. 



Input of Alice: Secrets so,si. 

Input of Bob: Choice bit: c € {0, 1}. 

A random string TZ = {TZo,TZ\) is transmitted. 

Alice: Store all of TZ. 

Bob: Store TZc- 

Alice: For i £ {0, 1}, send a uniformly chosen seed Y, compute Vi = Ext(77i, Y) 
and Zi = Vi® Si. Send Y, Zi. 

Bob: Compute Y = Ext(77c, Yc) and obtain Sc = Y © Zc- 



Fig. 1. A naive protocol for OT 
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Intuitively, even if Bob is dishonest and has storage bound vN then there is 
an / G {0, 1} such that Bob “does not remember” (1 — v)N/2 bits of information 
about TZi- This can be formalized by saying that the conditional entropy of TZi 
given the memory content of Bob is roughly (l — v)N/2. (Actually, in this paper, 
as in [CCM98,Din01], we work with a variant of entropy called min-entropy). 

Let Ext(A, Y) (Ext for extractor) denote a function such that whenever X 
has sufficiently high min-entropy and Y is uniformly distributed then Ext (A, Y) 
is close to being uniformly distributed. (The reader is referred to [Nis96,Sha02] 
for surveys on extractors). To complete the protocol, Alice sends Zi = Si (B 
F,xt{TZi, Yi) for both z = 0 and z = 1. 

Note that an honest Bob can compute Ext(7?.c, Yc)®Zc and obtain Sc- Howe- 
ver, if Bob is dishonest then Zj is close to uniform from Bob’s point of view and 
reveals no information about s/.^ It is easy to prove that even an unbounded 
dishonest Alice does not learn c. 

Using a setup stage before the naive protocol. The naive protocol above 
requires very large storage bounds from the honest parties. In order to instantiate 
it in a more efficient manner we will first apply a carefully designed setup stage. 
Our goal is that at the end of the setup stage the two players will agree on two 
small subsets Co, Ui C [N] of size £ « N, such that Alice stores TZq = TZco and 
TZi = TZci- (We use TZc to denote the |C| bit long string obtained by restricting 
TZ to the indices in C.) Bob remembers only one of 7Zo,TZi and cannot remember 
too much information about the other string. Furthermore, Alice does not know 
which of the two strings is not known to Bob. Following the setup stage, the two 
parties can perform OT by using the naive protocol. We call this second stage 
the transfer stage. As the sets Co, Ci are of size £ « N the storage required by 
the honest parties at the transfer stage is much smaller than before, and honest 
players can follow the naive protocol with space 0{£) << N. 



A long random string TZ of length N is transmitted. 

Alice: Choose random A C [A] of size n and store TZa. 

Bob: Choose random B C [N] of size n and store TZb. 

Alice: Send A to Bob. 

Bob: Verify that C = A n B is of size at least £ = nf /2N . 

Alice and Bob: Play an interactive hashing protocol where Bob’s input is C. Both 
Alice and Bob obtain Co, Ci C A such that C G {Co, Ci}. 

At this point, Alice and Bob use the naive protocol with TZo = TZcg and TZi = TZc^ . 



Fig. 2. The protocol for the setup stage 

® We mention that the argument above is imprecise. Given the memory content of 
Bob, the strings Zq,Zi are no longer independent. Thus, to prove security it is not 
sufficient to prove that Zi is uniformly distributed given the memory content of Bob. 
In the technical proof we prove that Zi is uniformly distributed given the memory 
content of Bob, Zi-i and Yo,Vi. 
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Implementing the setup stage. An implementation for such a setup stage 
was suggested in [CCM98]: Alice and Bob each choose a random subset of [N] 
of size n = \/2N£. We denote them by A and B respectively. When the string 
TZ is transmitted Alice and Bob store TZa and TZb respectively. Alice then sends 
A to Bob. By the birthday paradox, with high probability C = Af) B is of size 
roughly £. Note that Bob remembers TZc, and Alice does not know C. 

To complete the setup stage, Alice and Bob play an interactive hashing pro- 
tocol with W = C. They obtain sets Co,Ci C A such that C = Cd for some 
d G {0, 1} and such that Alice does not know d. The security requirement of the 
interactive hashing can be then used to guarantee that Bob “does not remem- 
ber a lot of information” about one of the strings 7^Co:^Ci- Thus, the two sets 
Co, Cl satisfy the properties required above and the parties can complete the 
OT protocol by using the naive protocol.^ Note that the setup stage requires the 
honest parties to store only k = n = VNi bits. In this presentation, we did not 
discuss the security of Bob, however it is easy to show that even an unbounded 
Alice, which remembers all of TZ, cannot learn any information about c. 



Previous protocols. The protocols of [CCM98,Din01] both use the setup stage 
described above. They implement interactive hashing using the NOVY-protocol 
from [NOVY98] which takes t = fc^^^^-rounds. Following the setup stage they 
perform what can be seen in retrospect as variants of our naive protocol. (Both 
papers do not use extractors explicitly, however their strategies can be viewed 
as some (weak) implementations of extractors.) 



Our improvements. Our main improvement comes from replacing the NOVY- 
protocol for interactive hashing by a new 4-message protocol. This protocol is 
based on explicit constructions of almost t-wise independent permutations. Some 
of the additional improvements are given by using competitive explicit construc- 
tions of extractors for the naive protocol above. Another source of improvement 
comes from allowing Alice to choose the set A using an averaging sampler (The 
reader is referred to [Gol97] for a survey on samplers). Choosing the set A using 
a competitive averaging sampler reduces the memory requirements of Alice and 
Bob, as well as the overall communication.^ We remark that the usefulness of 
extractors in the bounded storage model was demonstrated in [Lu02], and that 
of averaging samplers was demonstrated in [Vad03].® Our paper can be seen as 
another example of the usefulness of ideas from the theory of derandomization 
when designing protocols for the bounded storage model. 

^ A subtlety is that Bob has no control whether C = Co or C = Ci. In the actual 
protocol we allow Bob to ask Alice to “switch” between the roles of Co, Ci in order 
to receive the desired secret. 

® Note that using a samplers to choose the set B as well, we can further improves the 
total communication and memory requirements. 

® It should be noted that the seminal paper of Nisan and Zuckerman [NZ96] which 
defined extractors, already used them in a very related context to construct pseu- 
dorandom generators against bounded space machines. 
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2.1 The Improved Interactive Hashing Protocol 

In an interactive hashing protocol Bob holds an input W € {0, 1}'" and at the 
end of the protocol both parties should agree on Wq, Wi. It is required that there 
isadG {0,1} such that W = Wd and that a dishonest Alice cannot learn d. The 
main requirement is that a dishonest Bob cannot “control” both ITo, Wi. This is 
captured by the following condition: For every strategy of Bob and every set S 
of size 2® (where s is a parameter) , If Alice is honest then with high probability 
Bob cannot force that both Wo and Wi are in S. 



A naive solution. A naive solution to this problem is that Alice sends a random 
2-to-l “hash function” h : (0, 1 }™ — >■ (0, 1 }'"“^ and Bob replies with z = h(W). 
Then the two parties compute the two preimages Wq, Wi of z under h. Note that 
for s > mj2 this protocol fails even if Alice sends a completely random function 
h : (0, 1 }™ — >■ (0, (By the birthday paradox, for every S of size 2® > 2™/^ 

with high probability over h there are Wq, Wi G S such that h{W\) = h{W 2 ))- 



The NOVY-protocol. The NOVY-protocol [NOVY98] for interactive hashing 
can be thought of as a variant of the naive solution described above in which Alice 
does not send “all” of the hash function at once. Alice chooses a random mx m 
matrix A with entries in {0,1} subject to the restriction that A is invertible. 
Every such A can be seen as defining a function hA{x) = A • x. It is easy to 
see that the function Ha is a pairwise independent permutation. In particular, 
the function h'^{x) = {A ■ x)i^,,,^m-i is 2-to-l. The protocol consists of m — 1 
rounds. In round i, Alice sends Ai (the z’th row of A), and Bob replies with 
the Zi = {Ai,W) = hA{W)i. Intuitively, revealing Ha slowly in return to bits 
Zi restricts Bob in the sense that he has to “choose at least part of his input” 
before seeing all of Ha- 



The new protocol. Viewing the NOVY-protocol this way suggests the follo- 
wing improvement: We replace the family {Ha} a by a family of permutations 
with stronger independence properties. Namely, we will let tt be randomly chosen 
from a family of m-wise independent permutations. In the new protocol, Alice 
sends tt to Bob and in exchange Bob sends at once zi, - ■ ■ ,Zv where Zi = Tr{W)i 
for V close to m. We can show that the independence properties of tt “protect 
Alice” and allow the parties to engage in a new interactive hashing protocol for 
sending the remaining few m — v bits. By choosing the parameters appropria- 
tely, the two parties can use the naive solution (with a pairwise independent 
hash function g : {0, 1}™“’' -a {0, i}™-«'-i) after the first round. As a result of 
that we obtain a 2-round (4-messages) protocol (see Section 5.4). 

Unfortunately, we are not aware of any explicit construction of a small sample 
space of t-wise independent permutations for t > 3. Nevertheless, in [Gow96] (see 
also [NR99] and the references therein) it was shown how to construct a sample 
space of permutations in which every t elements are close to being independent, 
and we can carry out the argument with this weaker property. 
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3 Preliminaries 

We use [N] to denote the set {1, . . . , A^}. We use AT S' to denote uniformly 
choosing X from S. For a set A C [N] and a string TZ G {0, 1}^ we let TZa 
denote the substring of TZ consisting of the bits indexed by A. For a set S and 
i < |S|, we use ('J) to denote the set of all subsets T C S with |T| = £. 

Encoding subsets. We use a method of encoding sets in (^"^) into binary 
strings. The following method was used in [CCM98]: 

Theorem 3.1 ([Cov73]) For every integers £ < n there is a one to one map- 
ping F : — >■ [(")] such that both F and F~^ can be computed in time 

polynomial in n and space 0(log ("))• 

Using Theorem 3.1 we can encode (^"1) by binary strings of length [log (")]. 
However, it could be the case that images of subsets constitute only slightly 
more than half of the strings above. This is exactly what causes the protocols of 
[CCM98,Din01] to unsuccessfully abort with probability 1/2 (and is solved by 
repeating the protocol until the execution succeeds). Since in this work we are 
aiming for low round complexity, it would be beneficial to have the probability 
of unsuccessful abort to be significantly smaller than 1/2. To achieve this, we 
will use a more redundant encoding. This encoding is more ’’dense” than the 
original one and thus guarantees that most strings can be decoded. 

Definition 3.2 (Dense encoding of subsets) For every integers £< n let 
F be the mapping from Theorem 3.1. Given an integer m > [log (”)] we set 
tm = L2™/(")J. Define the mapping F^ ■ x [tm] {0,1}™ as Fm{S,i) = 
{i — 1)(”) F{S) (every subset S is mapped to tm different m bit strings). 

We now have the following Lemma (proof omitted). 

Lemma 3.3 For every £ < n and m > [log(")], the encoding Fm is a 
one-to-one mapping. Furthermore: (1) Fm and Ffffi are computable in time 
polyfnfiogm) and space 0(log (”))-|-logm. (2) Let D be the image of Fm (D con- 
tains allm bit strings that are legal encodings of subsets), then ^ > 1— (")/2™. 

Min-entropy and Extractors. Min-entropy is a variant of Shannon’s entropy 
that measures information on the worst case. 

Definition 3.4 (Min-entropy) For a distribution X over a probability space 
Q the min-entropy of X is defined by: Hao{X) = mina,gi 7 log(l/Pr[AT = a;]). We 
say that X is a k-source if Hoo{X) > k. 



Definition 3.5 (Statistical distance) Two distributions P and Q over fl are 
e-close {also denoted P = Q) if for every A C fl, \ Pra,<_p(H) — Prx<-Q{A)\ < e. 
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An extractor is a function that “extracts” randomness from arbitrary distribu- 
tions which “contain” sufficient (min)-entropy[NZ96]. 

Definition 3.6 (Strong extractor) A function Ext : {0, 1}”® x {0, 1}“^® — >■ 
{0, 1}™® is a {ks, ce) - strong extractor if for every kE-source X over {0,1}”® 
the distribution (Ext(A, y),E) where Y is uniform over {0, is CE-close to 
(C4riE,E) where UmE is uniform over (0, 1}™®. 

We remark that a regular (non-strong) extractor is defined in a similar way, 
replacing the random variable (Ext(A, Y),Y) by Ext(A, Y). 



Averaging Samplers and Min-Entropy Samplers. A fundamental lemma 
by Nisan and Zuckerman [NZ96] asserts that given a 5v-source X on (0, 1}”, 
with high probability over choosing T C [v] of size t, Xt is roughly a Jt-source. 

In [CCM98] this lemma is used to assert that if a bounded storage adversary 
has memory bound ev for v ks I — S then for a random T he “remembers at 
most nt bits about Ar” . This approach is also used in [Vad03] which constructs 
private key encryption in the bounded storage model. As shown in [RSWOO, 
Vad03] the lemma does not require a uniformly chosen subset. It is sufficient 
that T is chosen using a “good averaging sampler” ^ (such samplers have been a 
subject of a line of studies starting with [BR94], see survey of [Gol97]). 

Definition 3.7 (Averaging sampler) A function Samp : [L] — >■ [w]* is a 
(/i, 0, 7) -averaging sampler if for every function f : [v] ^ [0,1] with average 
value i f(i) > 



Pr 

pe[L] 



j /(Samp(p)*) < /r - 6» 
^ i<*<t 



< 7 



The function Samp is said to have distinct samples if for every p € [L], the t 
outputs o/Samp(p) are distinct. 



A min-entropy sampler has the property that for most choices of p, the varia- 
ble Asamp(p) is close to having high min-entropy. As shown in [Vad03], every 
averaging sampler yields a min-entropy sampler. 

Definition 3.8 (Min-entropy sampler) A function Samp : [L] — >■ [u]* with 
distinct samples is an (5, i5', e) -min-entropy sampler if for every Sv-source X 
over (0, 1}'' there is a set G C [L] of density 1 — 0 such that for every p G G the 
distribution Agamp(p) is e-close to a 5't-source. 



Lemma 3.9 ([Vad03] restated) Let Samp : [L] — >• [w]* be a {p, 9,^) -averaging 
sampler with distinct samples for p = {5 — 2r)/log(l/r) and 9 = r/log(l/r). 
Then there is a constant c > 0 such that for every 0 < a < 1, Samp is a 
{ 6 , S — 3t, (7 -I- 2“’=””)^““, (7 -I- -min- entropy sampler. 

^ We remark that most constructions of averaging samplers do not depend on p and 
work for every 0 < /r < 1. 




Constant-Round Oblivious Transfer in the Bounded Storage Model 



455 



4 Oblivious Transfer in the Bounded Storage Model 

We now turn to formally define oblivious transfer in the bounded storage model. 
The following definitions characterize malicious strategies for Alice and Bob. 
Note that in the definitions below the malicious strategies are asymmetric. We 
restrict malicious strategies for Bob to have bounded storage while no bounds 
are placed on malicious strategies for Alice. Clearly, if a protocol is secure against 
unbounded strategies for Alice, it is also secure against bounded strategies. Thus, 
the security defined here is even stronger than that explained in the introduction. 

Definition 4.1 (Malicious Strategy for Alice) A {malicious) strategy A* 
for Alice is an unbounded interactive machine with inputs TZ G {0, 1}'^ and 
So, Si G {0,1}“. That is, A* receives TZ and Sq,Si and interacts with B, in each 
stage, it may compute the next message as any function of its inputs, its ran- 
domness and the messages it received thus far. The view of A* when interacting 
with B that holds input c {denoted viewj(^ ’^^(sq, Si; c)) consists of its local out- 
put. ® 

The following definition captures a bounded storage strategy with storage 
bound K. Loosely speaking, the only restriction made on a bounded storage 
strategy B* is that it has some memory function g* : {0, 1}^ — >■ (0, 1}^ and 
its actions depend on TZ only through g*{TZ). This formally captures that B* 
remembers only K bits about TZ. 

Definition 4.2 (Bounded storage strategy for Bob) A bounded storage 
strategy B* for Bob with memory bound K is a pair {g*,B*) where: 

- 9* ■■ {0,1} X {0, 1}^ — >■ {0, 1}^ is an arbitrary {not necessarily efficiently 
computable) function with input c and TZ. 

— B* is an unbounded interactive machine with inputs cG {0, 1} and b* G {0, 1}^ 

The behavior described by a strategy B* with input c is the following: When given 
the string TZ G {0,1}'^, B* computes b* = g*{c,R). B* then interacts with A 




input c when interacting with A with inputs So,Si {denoted viewg^’^ ^(sq,Si;c)) 
is defined as the view of B* when interacting with A. 

We now turn to the definition of oblivious transfer in the bounded storage 
model. The security of Bob asks that for any malicious strategy for Alice, its 
view is identically distributed whether Bob inputs c = 0 or c = 1. The definition 
of Alice’s security is a bit more complex because one of her secrets is passed to 
Bob. For this definition, we partition every protocol that implements OT into 
two stages. The first stage called the Setup Stage and includes the transmission 
of the long string TZ and all additional messages sent by Alice and Bob until the 
point where Alice first makes use of her input sq, si. The remaining steps in the 
protocol are called the Transfer Stage. Next define consistent pairs of secrets. 

® The view of A may be thought of as also containing the party’s randomness, inputs 
and outputs, as well as the messages received from B. This more intuitive “view” is 
possible since w.l.o.g. the malicious party may copy this view to his output. 
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Definition 4.3 Two pairs s={sq, s\) and s' = {s'q, s'l) are c-consistent if Sc = s'^. 

The security of Alice asks that following the setup stage (which does not 
depend on the secrets), there is an index C (possibly a random variable which 
depends on TZ and the messages sent by the two parties in the setup stage) such 
that Bob’s view is (close to) identically distributed for every two C-consistent 
pairs. In other words, Bob’s view is (almost) independent of one of the secrets 
(defined by 1 — C). We next present the actual definition. 

Definition 4.4 (Oblivious Transfer) A protocol (A, B) is said to implement 
(1 — e)-oblivious transfer (OT) if it is a protocol in which Alice inputs two (secrets) 
So, Si € {0, 1}“, Bob inputs a choice bit c € {0, 1}, and that satisfies: 

Functionality : If Alice and Bob follow the protocol then for any sq, si and c, 

1. The protocol does not abort with probability 1 — e. 

2. If the protocol ends then Bob outputs Sc, whereas Alice outputs nothing. 

Security for Bob.- The view of any strategy A* is independent of c. Namely, 
for every sq, si.- 

|view^"! ’®^(so,Si;c) | c = o| = |view^1 ’®^(so,Si;c) | c = l| 

(AT, e)-Security for Alice.- /or every bounded storage strategy B* for Bob with 
memory bound K and input c there is a random variable C defined by the end 
of the setup stage such that for every two pairs s and s' that are C -consistent: 

I view^^.’^ ^ (s; c) | = Iview^^t’^ ^ (s'; c) | 

If Bob is semi-honest then C = c,® however, a dishonest receiver can always 
choose to ignore c and play with an input c' which depends on IZ and the 
messages in the setup stage. Thus, letting C depend on IZ and the messages in the 
setup stage is unavoidable. We remark that the definition would be meaningless 
if C was allowed to depend on the secrets Sq, Si, and this is the reason we require 
a partitioning of a protocol into a setup stage and transfer stage. We stress that 
the security achieved in this definition is information theoretic. 

Remark 4-1. We mention that it does not immediately follow that all the “stan- 
dard” applications of OT can be performed in the bounded storage model (this 
is also the case for the previous protocols in this model [CCM98,Din01]). Ne- 
vertheless, we now explain how this protocol can be used as a sub-protocol to 
perform other cryptographic tasks. For this we note that the above definition 
implies security by a simulation argument (although the simulator is not neces- 
sarily efficient).^® Thus, for example, our OT protocol can be used as in the 

® A semi-honest receiver is one that follows the protocol but remembers more than 
required about IZ and attempts to use this information to learn both secrets. 
Loosely speaking, the simulation paradigm requires that any attack of a malicious 
party can be simulated in an ideal setting where the parties interact only through 
a trusted party. This insures that the protocol is as secure as an interaction in the 
ideal setting. 




Constant-Round Oblivious Transfer in the Bounded Storage Model 



457 



construction of Kilian [Kil88] , to give a protocol for secure two-party computa- 
tion in the bounded storage model. The security achieved guarantees that an 
unbounded party learns nothing about the input of the other party. We stress 
that typically one requires that the simulators should run with essentially the 
same efficiency as the attack being simulated, and that this provides a stronger 
notion of security. 

We now give a sketch of the simulator for the receiver’s strategy B* . The 
simulator plays the roles of both B* and A in the protocol up to the transfer 
stage. At this point the simulator computes the random variable C and calls the 
trusted party asking for secret C . It continues by simulating A with inputs sc as 
received from the trusted party and a random Si_c. By the definition this turns 
out to be a valid simulation, however, computing C is not necessarily efficient 
and therefore the simulation is unbounded. 

5 Interactive Hashing 

One of the main tools we use in this paper is the interactive hashing proto- 
col. While useful in the bounded storage model, it is important to note that 
interactive hashing is not necessarily related to this model. As a matter of fact, 
the definitions and protocols given here achieve security against all powerful 
adversaries with no storage bounds at all. 

5.1 Preliminaries: Permutations and Hash Functions 

Definition 5.1 (2^-to-l Hash Functions) A hash function h : {0,1}™ — >■ 
{0,1}™“^ is 2^-to-l if for every output of h there are exactly 2* pre-images. 
That is, |/i“^( 2 )}| = 2^ for every z G (0, 1}™-*. 

One simple method of constructing a 2^-to-l hash function is to take a per- 
mutation on m-bit strings and omit the last k bits of its output. Clearly every 
output of the resulting function can be extended to 2^ different strings and 
therefore has 2* pre-images. Examples of useful permutations follow. 

Almost t-wise Independent Permutations. In our discussion we would like 
to use a random permutation on m bit strings. However, a description of such a 
permutation would be exponentially long since there are (2™)! such permutati- 
ons. The solution is to use a permutation that falls short of being truly random 
but still has enough randomness to it. Specifically we want to efficiently sample 
a permutation tt out of a small space of permutations such that when looking 
at 7T applied on any t points in {0, 1}™ then tt behaves like a truly random 
permutation. Such a space is called a t-wise independent permutation space. 

Unlike in the case of functions, where there are extremely randomness ef- 
ficient constructions of t-wise independent functions, we are unaware of such 
constructions for permutations. Instead we further relax our demands and ask 
the construction to be almost t-wise independent, that is, the distribution indu- 
ced by the permutation tt on any t points is statistically close to the distribution 
induced on these points by a truly random permutation. Formally: 
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Definition 5.2 An rj-almost t-wise independent permutation space is a proce- 
dure that takes as input a seed of I bits and outputs a description of an efficiently 
computable permutation in A uniformly chosen seed induces a distribu- 

tion Ut^ri on permutations such that for any t strings x\, . . .Xt G {0, 1}™; 

{^(xi), . . . = {7t(xi), . . . 

We use the construction presented by Gowers in [?]. 

Theorem 5.3 ([Gow96]) There exists an rj-almost t-wise independent permu- 
tation space Ilt r) with t = m, rj = ( 2 ^) and seed length I = m'^ for some con- 
stant C. Furthermore, Ut^ri runs in time and space polynomial in the seed length. 

We note that the main Theorem of Gowers requires some special properties from 
the value of m. However, this is only needed to improve parameters, and the 
weaker results presented in the middle of the paper (Lemma 3) are satisfactory 
and put no limitation on the value of m. The constant in the exponent of the 
above Theorem is around C = 10, which is high but acceptable. 

Other constructions of almost t-wise independent permutations were discus- 
sed in [NR99] and other references therein. 

Pairwise Independent Permutations. A widely used tool is a pairwise in- 
dependent permutation of strings of m bits. This is simply a 2-wise independent 
permutation as defined above (i.e., a 0-almost 2- wise independent permutation). 

The construction that we use identifies {0, 1}™ with the field GF{2^). A per- 
mutation is sampled by randomly choosing two elements a, 6 G GF(2’”) with the 
restriction that a yf 0. The permutation is then defined by ga,b{x) = ax-\-b (where 
all operations are in the field). Generating a pairwise independent permutation 
therefore requires 2m random bits. 

Note: To construct a pairwise independent 2-to-l hash function simply take a 
pairwise independent permutation and omit the last bit of its output. 

5.2 Definition: Interactive Hashing 

Interactive hashing is a protocol between Alice with no input and Bob with an 
input string. At the end of the protocol Alice and Bob should agree on two 
strings: One should be Bob’s input and intuitively the other should be random. 
Moreover, Alice should not be able to distinguish which of the two is Bob’s input 
and which is the random string. 

Definition 5.4 (Interactive Hashing) A protocol {A, B) is called an inter- 
active hashing protocol if it is an efficient protocol between Alice with no input 
and Bob with input string W G {0,1}’”. At the end of the protocol both Alice 
and Bob output a {succinct representation of a) 2-to-l function h : (0, 1}*” — >■ 

£ 2 ™ denotes the family of all permutations on m bit strings 
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{0,1}’” ^ and two values Wq,Wi € {0,1}’” (in lexicographic order) so that 
h(Wo) = h(Wi) = h(W). 

Let d € {0, 1} be such that Wd = W . Furthermore, if the distribution of 
the string W\-d over the randomness of the two parties is rj-close to uniform, 
then the protocol is called ry-uniform interactive hashing (or simply uniform 
interactive hashing if rj = Q). 



Definition 5.5 (Security of Interactive Hashing) An interactive hashing 
protocol is secure for B if for every unbounded deterministic strategy A* , and 
every W , if h, Wq, Wi are the outputs of the protocol between an honest Bob with 
input W and A*. Then 

|view^ ’®^(W) I W = Wq| = |view^ ’^^(W) | W = Wi| 

An interactive hashing protocol is (s,p)-secure for A if for every S C {0, 1}’” 
of size at most 2® and every unbounded strategy B* , ifWo,Wi are the outputs 
of the protocol, then: 



Pr[W"o,M^i G 5] < p 

where the probability is taken over the coin tosses of A and B* . 

An interactive hashing protocol is (s,p)-secure if it is secure for B and 
(s, p) -secure for A. 



Remark 5.1. The definition above does not deal with the case that dishonest 
players abort before the end of the execution. Intuitively, such a definition is 
sufficient for our purposes since in our OT protocol, the interactive hashing is 
used before the players send any message that depends on their secrets, and thus 
their secrets are not compromised. 



5.3 Partial Result: A Two Message Interactive Hashing 

We start by showing that when the bad set S is small enough then the following 
naive protocol is sufficiently good. In this 2 message protocol called 2M-IH, Alice 
sends a random 2-to-l hash function h : {0, 1}’” — >■ {0, 1}’"“^ and Bob replies 
with z = h(W). 

Claim 5.6 For all u, the 2M-IH protocol is a (s, 2“(’"“^®+^))-secMre uniform 
interactive hashing. 

Proof: The 2M-IH is clearly an interactive hashing protocol, and since h is 

pairwise independent, then it is also uniform (Wi-d is uniformly distributed). 
The 2M-IH is also secure for B since all that Bob sends to Alice is h(W), which 
is the exact same view whether Bob has input W = W\ or IT = Wq. On the 
other hand, since /i is a pairwise independent hash function, then the probability 
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over the choice of h for any two strings Wq, Wi to be mapped to a certain cell 
2 G {0, is perfectly random, that is: 

PrhiHWo) = h{Wi) = z] = 2~- 

Denote = 1 if both strings mapped to cell z are from the set S and = 0 
otherwise. Then: 

( OS\ 05 OS 1 o2s 

^yr,[h{Wo) = h{W,) = z]<-- ^ 

Denote by X the number of cells z such that both values mapped into z are 
from the set S, then: 

E{X) = E{J2x.) =J2e{X,) < 2—1 • ^ < 2-(— 2«+i) 

z z 

The protocol is insecure only if Bob finds a cell z with two bad values, that is 
only if X > 1. But using Markov’s inequality we have that Pr[Jf > 1] < E{x) < 
2 -(m- 2 s+i) ^ Thus this protocol is (s, 2“*^'"“^'*+i^)-secure for Alice. | 



5.4 A Four Message Protocol for Interactive Hashing 

The two message protocol is useful when the bad set S is very small. However, if 
S is large (for example, if |S'| = 2^ and s = ym for any constant 7 ) then this pro- 
tocol does not suffice. While the interactive hashing protocol of [NOVY98] takes 
m round of communication to overcome this, the following protocol achieves this 
using an interaction of just four messages. 

Theorem 5.7 For all s, the 4 M-IH protocol is an (s, 
rj-uniform interactive hashing protocol for rj = < 2“™. 

Proof: We start by noting that the protocol is efficient for both parties due to 
the efficiency of the permutations used. Furthermore, they can run in small space. 
This is an y-uniform interactive hashing protocol since h is rj close to pairwise 
independent and therefore the distribution of W\-d is rj close to uniform. 

The 4M-IH protocol is secure for B since no matter what strategy A* Alice 
uses, the messages that Bob sends are identical whether his input is IT = Wq or 
W = Wi (recall that h{Wo) = h{W\)). 

This protocol has two stages of question and answer (4 messages), and in 
order to prove the security for A we view each of these two parts separately. In 
the first part, all strings W G {0, 1}™ are divided by tt' into 2" cells (according 
to the value of tt'{W)). Our goal is to show that no cell z' G {0, 1}” has too 
many strings from the bad set S mapped to it. The second part of the protocol 
can then be viewed as implementing the 2M-IH protocol on strings in the cell 
z' , yielding the security of the combined protocol (the portion of bad strings in 
the cell z' is reduced to less than a square root of the strings in the cell). We 
start by bounding the probability that a specific set of t strings are mapped by 
7 t' to the same cell z. 
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4M-IH (4 Message Interactive Hashing) 

Common Input: Parameters m and s. 

Let V = s — log m. 

A family U of ?;-almost t-wise independent permutations tt : {0, 1}^ — >■ {0, 1}^ 
Take t = m and rj = (^) • 

A family G of 2-wise independent 2-1 hash functions g : {0, 1}"*””— >• {0, 

A family H (induced by II, G) of 2-1 hash functions h : {0,1}"“ — >■ {0,1}™“^ 
defined as: 

h{x) 7r(a;)i, . . . ,tt{x)v, g {tt{x)v+i ■ ■ . ,-n:{x)m) 

where 7r(®)i denotes the bit of 'k{x). 

Input of Alice: T. 

Input of Bob: W G {0, 1}^. 

— Alice: Choose tt A 77. Send tt to Bob. 

— Bob: Compute zi, . . . Zm = 7r(lT). Send -k'{W) = zi, . . . ,Zv to Alice (let tt' 
denote tt when truncated to its first v bits). 

— Alice: Choose g G. Send g to Bob. 

— Bob: Send g{zv+i, ■ ■ ■ , Zm) to Alice. 

- Alice and Bob: Output Wo, Wi s.t. h(Wo) = h{Wi) = h{W). 



Fig. 3. The four message protocol for interactive hashing. 



Claim 5.8 For every z G {0, 1}*' and all Xi, ... ,Xt G {0, 1}™ we have that: 



p = Pr^g77[7r'(a;i) = n' {x2) = ... = ii'ixt) 



z]< 




+ T] 



Proof: Suppose that tt was a 7-wise independent function (and not permuta- 
tion), then for every xi G {0, 1}™ we have that the probability that 7r'(a;j) = z 
is exactly ^ and the probability that this is the case for 7 different values is 

exactly (^)*- But since tt is a permutation, this probability is smaller since for 
every i we have Pr[7r'(xj) = z\tt'{xx) = tt'{x 2 ) = . . . 7r'(a;i_i) = z] < But 
7T is actually an almost 7-wise independent permutation, the probability on 7 
elements may deviate by be up to rj from the truly random permutation and 
therefore p<(^) + r] | 

Let us focus on a specific cell z G {0,1}*'. For every set of 7 elements 
x\,...,xt G S denote the Y,^{xi, . . . , Xt) the indicator if all Xi is mapped to 
z or not. That is: 



Y^{xi,...,xt) 



1 7r'(a;i) = 7t'(x 2) = .. . = iT'{xt) = z 
0 otherwise 



Let F/ denote the number of strings from S mapped to cell z by tt'. Let E = ^, 
which is the expected number of strings from S in each cell, if they were divided 
uniformly at random. We claim that with high probability, Y^ does not deviate 
much from E. 
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Lemma 5.9 For all z £ {0, 1}’', 

Pr.en [L/ > 4.E] < 2-(‘-P 



Proof: Consider the table of all possible Y^{xi, . . . , Xt), where each row stands 
for a specific set xi, . . . , Xt and each column stands for a choice of tt. By Claim 5.8, 
the fraction of ones in each row and hence the fraction of ones in the whole table 
is at most (^) + rj. On the other hand, for each tt such that > 4E there 
are at least sets of t elements for which Y^{xi, . . . ,Xt) = 1, therefore the 
fraction of ones is at least Pr.„. £n[Y^ > 4:E] ■ /(^t ) • Therefore we get that: 



Recall that r] = (^)* and using the fact that (“)/(^) < 
Pr.677 [P/ > ^E] < 



AE-t+1 



2- ( i 



We take t + 1 < 2E and recall that E = ^ : 



Pr.eTT [P" > 4L;] < 2 . 

< 2. 



2^ 

2E2^ 



2 ^ 2 ^ 



= 2 - 2 - 



This completes the proof of Lemma 5.9. | 

As a corollary of Lemma 5.9 we get that with high probability there is no cell 
that contains a large number of bad elements. Applying a union bound gives: 

Pr^en [3z s.t. P/ > 4E] < 

Recall that t = m and v = s — log m so the probability of error here is 

2 ~ ("fn.— s)+log m—1 

Assuming that indeed for all cells 2 we have P/ < AE then the second 
part of the protocol is actually running the 2M-IH on the strings in a specific 
cell z' . This cell contains all the possible extensions of z' into an m bit string. 
Therefore, the 2M-IH is run on strings of length m' = m — v. There are no 
more than 2® = 4 • 2®“’^ strings that belong to the bad set S. According to 
Claim 5.6 the second part of the protocol is an (s', 2“^™ +^^)-interactive 
hashing protocol. The probability that Bob can choose a cell with two string from 
the bad set is therefore 2 -("»'- 2 P+i) = 2 -{m-v- 2 {s-v+ 2 )+i) ^ 2-(™-^)+i°g'«+3. 
Combined with the probability that there exist a z with Y^ > 4E we get that 
the probability that any strategy B* that Bob plays succeeds in choosing both 
Wo and W\ in the set S is at most | 
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6 The Oblivious Transfer Protocol 

Our BS-OT protocol is presented in figure 4. The protocol relies on three ingre- 
dients: An extractor, a min-entropy sampler, and an interactive hashing protocol. 
The precise requirements from the ingredients are presented in figure 5. 



Input of Alice: Secret bits so,si G {0, 1}“. 

Input of Bob: Choice bit c G {0, 1}. 

Setup Stage: 

Subsets Stage: Alice and Bob store subsets of the string TZ G {0, 1}^. 

— Alice: Choose P A La- Compute A C [N] of size n by A = Samp^(P) 
and store the bits TZa- 

— Bob: Choose random B C [N] of size n and store the bits TZb- 

— Alice: Send A to Bob by sending P. 

— Bob: Determine C = A n B. If |C| < £ abort. If |C| > £, randomly 
truncate it to be of size £. 

— Bob: Compute hm as in Definition 3.2. Choose Q [hm] and compute 
W = Fm{C,Q).* 

Interactive Hashing Stage: Interactively hash W. 

— Bob: Input W into the interactive hashing protocol. 

— Alice and Bob: Interactively obtain h and Wo,W\ s.t. h{Wo) = 
h{Wi) = h{W). Compute the subsets Co, Ci encoded by ITo, If ITo 
or Wi isn’t a valid encoding then abort. 

Choice Stage: 

— Bob: Let d G {0, 1} be such that Wd = W . Send e = c © d. 

— Alice: For i G {0, 1} send Yi A {0, 1}'*®. 

Transfer Stage: 

— Alice: Set Xq = TZcq and Xi = TZci ■ 

— Alice: Send “encrypted” values of so and si: For i G {0, 1}, Send Zi = 
Si®e © E{Xi, Yi). 

— Bob: Compute X = TZc- Bob’s output is given by Ext(A, Tc®e) © .^c®e 

* The range of Fm is [n] and not A = Samp^(P). For simplicity, we treat C as a subset of A. 

Fig. 4. Protocol BS-OT for 1-2 OT in the bounded storage model. 



In our suggested implementation of BS-OT we choose Samp^ to be the samp- 
ler from [Vad03], Ext to be an extractor from [RRV99] and use the 4M — IH 
interactive hashing protocol from the previous section. The precise choices of 
parameters for these ingredients appear in Section 8. These choices meet the 
requirements of figure 5 with e = The main theorem of this paper asserts 

that this implementation of BS-OT is a constant round protocol for oblivious 
transfer in the bounded storage model. 

At first reading, the reader may safely ignore the sampler and assume that 
the set A is chosen uniformly at random. That is assume that Samp^ is the 
identity mapping on 

Using different samplers allows choosing a “random” set A which has a shorter 
description. Specifically, using the sampler from Section 8 reduces the description 
size of A from log = 6>(nlogn) to 0{£). 
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Parameters: 

— N - the length of the long random string TZ. 

— n - the number of bits honest players remember about TZ. 

— u - the length of the secrets. 

— £ = ri^ /2N - the size of the intersection set. 

— u - the dishonest receiver remembers at most vN bits about TZ. 

— e - the error of the protocol. We can only achieve e > where 

5'a is defined below and c > 0 is some constant which may depend on the 
constant cih defined below. We therefore require that e satisfy this condition. 

Ingredients: 

— A {5a, 5\, 4>a, tA)-min-entiopy sampler Samp^ : [La] [Y]" with: 

• < (1 - !z)/2. 

• 5'a = 5a/^. 

• 4>a < e/20. 

• «A < e/20. 

• La determines the length of the first message sent by Alice. 

— A e£)-strong extractor Ext : {0, 1}"® x {0, 1}'*® — >■ {0, 1 }™® with: 

• ue = £ 

• d-E < 5 'a£/12 

• tue = u < S'j^£jl2. 

• kE > 5 'a£!£>. 

• tE< (e/20)2. 

— An (s, p)-secure (2“™)-uniform interactive hashing protocol for strings of 
length m = lOt log n with: 

• s < m — Cih5'a£I log^A + 1 {cjH > 0 is a constant chosen in the proof). 

• p < e/20.* 



Note that p depends on cjh and this is why we allow the constant c in the requirement on e to 
depend on cjh- The order of quantifiers is as follows: There is some constant cjh > 0 chosen in 
the proof. The constant c depends on this constant. 



Fig. 5. Ingredients and requirements for Protocol BS-OT. 

Theorem 6.1 There is a constant a > 0 such that if N,n and £ satisfy logn < 
£ < n°‘ then for every constant v < 1 let protocol BS-OT use the ingredients 
described in Section 8. Protocol BS-OT is a {1 — e)-oblivious transfer protocol 
for e = Furthermore: 

— The protocol has 5 messages. 

— The strategies for Alice and Bob runs in time poly{n) and space k = 
0(nlog n). 

— The protocol passes secrets of length u = Q{£). 

— The overall number of bits exchanged is TC = 

The constants hidden in e, s, u and TC above depend on 

Tracing this dependency gives that for 5 = {1 — n): e = s = m — 

0{5£/ log{l/ 5)), and u = Q{5£). This holds even when v isn’t a constant as long as 
n > £/5'^. That is, the Theorem holds even for « 1 — (£/n)^. 
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The results mentioned in the introduction can be obtained by choosing 
n = log for some small constant a > 0. Note that if a is sufficiently 

small then the space of honest players satisfies k = 0(n log n) = < 

where the last inequality follows assuming v > 1/2 which we can 
assume w.l.o.g. As £ = ri^/2N we have that £ = ri?°‘ /2\ogN > k°' for large 
enough n, and we have that e = ). 

7 The Functionality and Secnrity of the OT Protocol 

The proof of Theorem 6.1 follows from the combination of several lemmas sta- 
ted below. The first Lemma asserts that protocol BS-OT indeed implements 
oblivious transfer. 

Lemma 7.1 For every choice of ingredients for BS-OT and every sq,si,c, If 
Alice and Bob follow protocol BS-OT then 

— With probability 1 — the protocol does not abort. 

— If the protocol does not abort then Bob’s output is indeed Sc- 

Proof: We first show that with high probability |A fl i?| > £. This is because 
for every fixed A, as i? is a random set the expected size of An i? is /N > 2£. 
A standard Lemma (see for example Corollary 3 in [DinOl]) can be used to show 
that there exists a constant 0 < d < 1 such that probability that \AD B\ < £ is 
at most 2e~‘^^. 

We now show that the probability that one of Wq , Wi is not a valid encoding 
of a subset is small. Wj, was chosen by Bob and is certainly a valid encoding. 
By the definition of Interactive Hashing, the other string Wi-d is ? 7 -close to 
uniformly distributed in {0,1}™, for rj < 2“™. By Lemma 3.3 the probability 
that a random string W € (0, 1}™ is not a valid encoding is at most (”)2“™ < 
2^ log n-m ^ as m = 10£logn. It follows that the probability of abort is 

bounded by 2"™ -b 2-^"i < 2"^. 

To see that whenever the protocol does not abort Bob indeed outputs Sc, we 
observe that X = TZc is known to Bob (since C = A D B C B and Bob has 
stored all the bits IZb). In particular, Bob is always able to compute E{X, Yc0e) 
and subsequently use it in order to “decrypt” the value Zc®e- By the definition 
of the protocol we then have: 

E{X, Lc0e) © Zc($e = E{X, Yd) © {sc © E{Xd, Yd)) 

= E{X,Yd)(Bis,(BE{X,Yd)) (1) 

where Eq. (1) follows from the fact that Xd equals TZc (= X), which in turns 
follows from the fact that Cd = C (since Wd = W and the encoding Em is 
one-to-one). The lemma follows. | 

Theorem 7.2 For every choice of ingredients of BS-OT, the protocol is secure 
for Bob. 
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Proof: We show that for any strategy A*, the view of A* is independent of 
the bit c. This is shown by the following argument: Fix the randomness of A* 
and TZ. We show a perfect bijection between possible pairs of B’s randomness 
rs and input c. That is, for each pair (r^, c) that is consistent with the view V 
of A*, there exists a unique pair {r'B, 1 — c) such that r'B and 1 — c are consistent 
with the same view V. There are two possible options for a, V = view^ 

— The protocol aborts before the choice stage where Bob sends Alice the value 
e = c(Bd. In such a case, the view V is totaly independent of c and we map 
every consistent tb to itself {r'B = Tb)- Clearly tb is consistent with both 
c = 0 and c = 1 . 

— V includes the message e = c © d sent by Bob. In such a case, suppose 

that {tbjc) is consistent V. That is, rs is the randomness that chooses the 
random set B so that C = A(1B is encoded by the string Wd- By the fact that 
the protocol did not abort, we are assured that also Wi-d encodes a legal set 
C . Then we choose r'B to be the randomness that chooses B' = B \ C U C 
and encodes C' by Wi-d- This perfectly defines that is consistent 

with the view V. Furthermore, {^bA - c) is mapped by the same process 
back to Ab, c ), hence we get a perfect bijection. 

Theorem 7.2 follows. | 

The following theorem (which is technically the most challenging theorem of 
this paper) guarantees Alice’s security against bounded storage receivers. This 
theorem refers to a list of requirements on the parameters of the ingredients 
which appears in figure 5. 

Theorem 7.3 For every v < 1 {not necessarily constant), if all the requirements 
in figure 5 are met then protocol BS-OT is {vN, e)-secure for Alice. 

The proof of this theorem is long and technical and appears in the full version 
of this paper. Section 9 is dedicated to giving an outline of this proof. 

As we show in section 8, Ext and Samp^^ and AM—IH satisfy all the requirements 
in figure 5 for e = Theorem 7.3 thus implies the following corollary. 

Corollary 7.4 Let Ext, Samp^ and IH be chosen as in Theorem 6.1. Protocol 
BS-OT is {vN,e)-secure for Alice, for e = 2““^ where a > Q is a constant that 
depends on v. 



Lemma 7.5 Let Ext, Samp^^ and IH he chosen as in Theorem 6.1. The state- 
ments in the itemized list in Theorem 6.1 hold. 

Proof: It is easy to verify that the protocol has 5 messages (not including 

the transmission of TZ). By section 8 the extractor and sampler run in time 
polynomial in n and space + 0(n). Protocol 4M-IH runs in time and space 
polynomial in m = lOflogn. Thus, both parties run in time polynomial in n. 
Both parties require space n to store TZa and TZb and space to play 4M- 

IH. Alice’s set A is chosen by a sampler with log La = 0(£), thus it can be stored 
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in space 0{£). Overall, Alice’s space is bounded by 0(n) +poly(£). Bob’s set B 
is a random set, and thus takes O(nlogn) bits to store. We conclude that both 
players can run their strategies in space 0(n log n) + poly(£) which is bounded 
by 0(n) for sufficiently small a as required. The protocol passes secrets of length 
iriE where ms = f2{£). Finally, the longest message sent in the protocol is the 
description of the permutation tt in the interactive which is of length at most 

£0(^1 m 



8 Choosing the Ingredients 

We now turn to choose the ingredients for BS-OT to get the parameters gua- 
ranteed in Theorem 6.1. Given n,N,u^v, we shoot for e = We need to 

show an extractor and sampler that satisfy the conditions specified in figure 5. 

The extractor. In [RRV99] it was shown how to construct a (feg, e^) -strong 
extractor, Ext : {0, 1}^ x {0, — >■ {0, 1}“, for every kE, u = Ue — 21og(l/e£;) — 
0(1) and = clog(l/e£;) for some constant c as long as log(l/e) > log^£. 

Setting kE = 5'j^£l£>, we can get u = 8\£l\2 for cIe < and €e = 

2~c some constant c' > 0 (which depends on c). This choice satisfies the 

requirements in figure 5. We note that the above extractor can be computed in 
time and space polynomial in £. 

The sampler. In [Vad03] it was shown how to construct a {y, 9, 7)-averaging 
sampler Samp : [L] — >■ [u]* with distinct samples for every y > 9 > 0 and 
7 > 0 as long as t > l7(log(l/7)/0^). This sampler has logL < log(v/t) -I- 
log(l/7)(l/0)‘^(^^. By Lemma 3.9, for every 5,7 such that log(l/7)/5‘* < n this 
sampler yields a (5, S/2, (7 -|- (7-I- 2“^^'^”))^/^)-min-entropy sampler 
Samp^ : [La] — >■ [A^]". Setting 7 = 2“^ we have that as long as n > £/5^ this 
sampler has 4> = e = and logL^i < log n -I- ^(1/5)'^^^). 

Note that the condition n> £/6'^ is satisfied when is a constant (as in this 
case 5 = 5^ is also a constant).^^ We also note that the above sampler can be 
computed in time polynomial in n and space 0{n). 

The interactive hashing protocol. We need to show that protocol 4M- 
IH satisfies the requirements of figure 5. It is required there that 4M-IH is 
(s, 2“^('^'4^/^°S‘^'4))-secure for s < m — log -I- 1 where cih > 0 is 

some constant and S'a = a(l — v) for some a > 0. By Theorem 5.7, we have that 

p< logS'^+0(logm) ^ 2 -^(^'a^/^°sS'a) 

as m = lOflogn and £ > logn. When v is a constant, S'a is also a constant 
and we have that p = 2“^^^) as required. We note that Protocol 4M-IH requires 
requires time and space polynomial in £. 

We remark that we don’t have to require that is a constant. Our protocol also 
works for v — 1 — o(l) as long as the condition above (n > 1/5'^) is satisfied. 
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9 Overview of Proof of Security for Alice 

Theorem 7.3 regarding Alice’s security is somewhat technical and involves many 
parameters. Due to lack of space, we will only give a sketch of the proof while 
ignoring the precise parameters. 

Fix some bounded storage strategy B* with storage bound z/iV for some 
V < 1, and an input c. We need to show that there exists a random variable C 
determined in the setup stage such that for every two pairs of secrets s, s' which 
are C-consistent the view of B* is distributed roughly the same way no matter 
whether Alice’s input is s or s'. 

Recall that in the protocol, the secrets sq, si are only involved in the transfer 
stage where Zi = Ext{Xi,Yi) © Si for i G {0, 1}. Our goal is to show that there 
exists a random variable I determined in the setup stage such that for every 
choice of secrets sq, si, the string Zj is close to uniformly distributed from B*’s 
point of view. More precisely, for every i G {0, 1} we split Alice’s messages into 
Zi and all the rest of the messages which we denote by MSGi. For every fixing 
of r of 7^ and msgi of MSGi, B*’s point of view on Zi is captured by considering 
the distribution Z- = {Zi\g*{TZ) = g*{r),MSGi = msgi). We show that for most 
fixings r and msgi, the random variable Z'j is close to uniformly distributed. 

We now explain how we achieve this goal. It is instructive to first consider 
a simplified scenario in which B* chooses to remember the content of TZ at lyN 
indices. We call these indices “bad” indices, and the remaining (1 — ii)N indices 
“good” indices. Let S = {1 — ii). The proof proceeds as follows: 

1. We note that B* does not remember the 6N good indices. 

2. When Alice uses a sampler to choose A, with high probability she hits a 
large fraction (say 6n/2) of the good indices. 

3. We have that the set A contains many good indices. If we were to choose 
a random subset of A with i indices, then with high probability we will hit 
many (say <5^/4) good indices. Let S be the set of all such subsets which hit 
less indices. By the above argument S' is a small set. 

4. It follows that when Alice and Bob use interactive hashing to determine the 
subsets Go and G\, at least one of the subsets is not in S. We define the 
random variable I to point to this subset. It follows that Cj contains many 
good indices. 

5. We now consider Xj = TZcj given MSGj. As it contains many good indices, 
it has high min-entropy. It follows that with high probability over the choice 
of Yi, E{Xi,Yi) is close to uniformly distributed even given MSGi. Thus, 
Zi is close to uniformly distributed as required. 

We now sketch how to make this argument work when B* is allowed to 
remember an arbitrary function g* : {0, 1}'^ — >■ {0, 1}“''^ of TZ. Intuitively, the 
notion of “min-entropy” replaces that of “good bits” in this case. 

1. It is easy to see that for most fixings r of TZ, the random variable {TZ\g*{TZ) = 
g*{r)) has high min-entropy (say f2{SN)). 

2. When Alice uses a min-entropy sampler for most fixings p of P she obtains 
a set A such that (TZA\g*{TZ) = 9* {r),P = p) has high min-entropy. 
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3. Choosing a random subset is a min-entropy sampler, and thus for most 

choices of a subset of C of size £, {TZc\g*{'TV) = = p) has high 

min-entropy. 

4. As before it follows that following the interactive hashing with high pro- 
bability there exists an I such that {TZcj\g*{TZ) = g*{r),P = p) has high 
min-entropy. 

5. Here we have to be a little more careful than before. It is no longer the case 

that TZco TZci are independent given the conditioning. Thus, it may 
be the case that Zi_/ gives information about TZcj- However, we set the 
parameters so that TZci has min-entropy much larger than the length of the 
pair As a consequence we can argue that for most fixings Zi-i 

and yi-i, {ncj\g*{'Jl) = g*{r),P = p, ^i-/ = zi_/,Yi_/ = yi-i) has high 
min-entropy. Thus, running an extractor, with high probability over Yj we 
obtain a distribution which is close to uniform given MSGi just as before. 

10 Conclusions and Open Problems 

We have shown a 5-message protocol for oblivious transfer in the bounded sto- 
rage model. As mentioned before, this protocol has some additional concrete 
improvements over previous work [CCM98,Din01]. 

Our protocol achieves k very close to VK « '/N. In words, the space of 
the honest parties is about a square root of the space allowed for the malicious 
parties. It is not clear whether there exist protocols that allow k = for every 
constant <5 > 0. We remark that to achieve (5 < 2 it is required to break the 
“birthday paradox barrier”. A typical first step of a bounded storage protocol 
instructs both parties to store random subsets of the TZ. When k « '/N these 
sets are not likely to overlap. It seems that breaking this barrier requires in- 
troducing some new ideas. We mention that to the best of our knowledge, this 
barrier is also present in protocols for Key-Agreement in the bounded storage 
model [Mau93,CM97]. 

We give a new constant round protocol for interactive hashing. This protocol 
can replace the NOVY-protocol of [NOVY98] in our setting. A similar pheno- 
mena was observed also in the context of Zero-Knowledge. Damgard [Dam93] 
used the NOVY-protocol to give certain transformations of “honest verifier” 
Zero-Knowledge protocols into general Zero-Knowledge protocols. Later works 
[DGOW95, GSV98] replaced the NOVY-protocol with a constant round proto- 
col. This raises the question whether the NOVY-protocol can be replaced by a 
constant round protocol for the application in [NOVY98]. That is, for construc- 
ting perfectly hiding bit commitment schemes from arbitrary one-way permuta- 
tions. We remark that constant round perfectly hiding bit commitment schemes 
are known only using seemingly stronger assumptions [NY89,DPP93,GK96]. 

The NOVY-protocol achieves a stronger security for interactive hashing than 
the one defined here. This stronger security allows its use in the application of 
[NOVY98]. Loosely speaking, it is shown in [NOVY98] that their protocol is 
secure in the following sense: For every polynomial time malicious strategy B* 
for Bob there is a polynomial time “simulator” Ab*{W) such that for most 
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W G {0, 1}™, the simulator can run B* playing Alice’s role and generate random 
transcripts in which one of the outputs is W . (Intuitively, this is a stronger 
and computational form of the intuition that Bob does not “control” the two 
outputs.) Obtaining this property with fewer rounds seems hard. A very related 
open problem was raised in [DGW95] in the context of Zero-Knowledge. 
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Abstract. We consider the problem of threshold secret sharing in 
groups with hierarchical structure. In such settings, the secret is shared 
among a group of participants that is partitioned into levels. The access 
structure is then determined by a sequence of threshold requirements: a 
subset of participants is authorized if it has at least ko members from 
the highest level, as well as at least fci > ko members from the two 
highest levels and so forth. Such problems may occur in settings where 
the participants differ in their authority or level of confidence and the 
presence of higher level participants is imperative to allow the recovery 
of the common secret. Even though secret sharing in hierarchical groups 
has been studied extensively in the past, none of the existing solutions 
addresses the simple setting where, say, a bank transfer should be signed 
by three employees, at least one of whom must be a department manager. 
We present a perfect secret sharing scheme for this problem that, unlike 
most secret sharing schemes that are suitable for hierarchical structures, 
is ideal. As in Shamir’s scheme, the secret is represented as the free co- 
efficient of some polynomial. The novelty of our scheme is the usage of 
polynomial derivatives in order to generate lesser shares for participants 
of lower levels. Consequently, our scheme uses Birkhoff interpolation, 
i.e., the construction of a polynomial according to an unstructured set 
of point and derivative values. A substantial part of our discussion is 
dedicated to the question of how to assign identities to the participants 
from the underlying finite field so that the resulting Birkhoff interpo- 
lation problem will be well posed. In the course of this discussion, we 
borrow some results from the theory of Birkhoff interpolation over R 
and import them to the context of finite fields. 



1 Introduction 

A (fc, n)-threshold secret sharing is a method of sharing a secret among a given 
set of n participants, U, such that every k of those participants (fc < n) could 
recover the secret by pooling their shares together, while no subset of less than 
k participants can do so [4,15]. Generalized secret sharing refers to situations 
where the collection of permissible subsets of U is any collection F C 2^ . Given 
such a collection, the corresponding generalized secret sharing is a method of 
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sharing a secret among the participants of U such that only subsets in F (that is 
referred to as the access structure) may recover the secret, while all other subsets 
cannot; this makes sense, of-course, only if the access structure is monotone in 
the sense that if B G F then any superset of B also belongs to F. 

There are many real-life examples of threshold secret sharing. Typical exam- 
ples include sharing a key to the central vault in a bank, the triggering mechanism 
for nuclear weapons, or key escrow. We would like to consider here a special kind 
of generalized secret sharing scenarios that is a natural extension of threshold 
secret sharing. In all of the above mentioned examples, it is natural to expect 
that the participants are not equal in their privileges or authorities. For example, 
in the bank scenario, the shares of the vault key may be distributed among bank 
employees, some of whom are tellers and some are department managers. The 
bank policy could require the presence of, say, 3 employees in opening the vault, 
but at least one of them must be a department manager. Or in key escrow, the 
dealer might demand that some escrow agents (say, family members) must be 
involved in any emergency access to his private files. Such settings call for special 
methods of secret sharing. To this end, we define hierarchical secret sharing as 
follows: 

Definition 1. LetlA he a set ofn participants and assume thatU is composed of 
levels, i.e., U = where UiFlAj = 0 for all 0 < i < j < m. Let k = {fcj}™ q 

be a monotonically increasing sequence of integers, 0 < kg <■■■ < km- Then the 
(k,n) -hierarchical threshold secret sharing problem is the problem of assigning 
each participant u GU a share of a given secret S such that the access structure 
is 



T = {V C W : 1 V n (U}^o0) 1 > k. 


Vf G {0, 1, . . . ,m}} 


(1) 


In other words, if <j{u) stands for the share 
V C U, cr(V) = {ct(m) : u G V}, then 


assigned to u G lA, 


and for any 


H(sicr(v)) = 0 vv G r 


(accessibility) 


(2) 


while 






H{S\a{V)) = H{S) W^F 


(perfect security) . 


( 3 ) 



The zero conditional entropy equality (2) should be understood in a constructive 
sense. Namely, if it holds then V may compute S. 

There are few methods of solving this problem. The simplest way [18] is to 
generate m random and independent secrets Si, 1 < i < m, of the same size 
as S and define S'o = S' ® S'! 0 • • • 0 Then, for every 0 < i < m, the 
secret Si is distributed among all participants of using a {ki, |0|) 

threshold secret sharing scheme. The secret S may be recovered only if all Si, 
Q < i < m, are recovered. As the recovery of St requires the presence of at least ki 
participants from U*_QWj, the access requirements are met by this solution. This 
scheme is perfect since if V ^ T, it fails to satisfy at least one of the threshold 
conditions in (1) and, consequently, it is unable to learn a thing about the 
corresponding share Si; such a deficiency implies (3). However, its information 
rate is 1 /(to -I- 1) since all members of l4o are assigned m -I- 1 shares. 
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Another method is the monotone circuit construction due to Benaloh and 
Leichter [2] . Assume a monotone access structure F over a set of n participants. 
Let C{xi, . . . ,Xn) be a monotone circuit that recognizes the access structure 
(namely, C{xi, . . . , x„) = 1 if and only if the subset of the variables that have a 1 
value belongs to F). They then show how to build a perfect secret sharing scheme 
from the description of that circuit. However, for threshold access structures 
the resulting schemes are far from being ideal. Even for the simplest threshold 
problem of only one level (i.e., all participants are equal), an optimal circuit is 
of size O(nlogn) [9], which implies an information rate of 0(1/ log n) for the 
corresponding secret sharing scheme. 

Another construction is due to Brickell [5]. The main observation in his con- 
struction is the following: let F be a finite field such that S' G F and let F'^ be the 
d-dimensional vector space over that field. Assume that there exists a function 
4> : U ^ ¥‘^ with the property 

(1, 0, . . . , 0) G Span{(/(M) : u G V} <t4> V G T . (4) 



Then the dealer selects random and independent values G F, 2 < i < d, and 
then 

ct(m) = 4>(u) ■ a where a = (S, 02 , . . . , ad) ■ (5) 



This is indeed a perfect secret sharing scheme, (2)-|-(3), and, as opposed to the 
previous construction of Benaloh and Leichter, it is ideal since every participant 
receives a share that is of the same size as the secret. Alas, finding a mapping (j) 
that satisfies condition (4) is not simple. Given a specific access structure, it is 
usually a matter of trial and error until such (j) is found. 



In this paper, we present a simple solution for the hierarchical secret sharing 
problem that is both perfect and ideal. Our construction is, in fact, a realization 
of the general vector space construction of Brickell for the case of hierarchi- 
cal threshold secret sharing. Our idea is based on Birkhoff interpolation (also 
known as Hermite-Birkhojf or lacunary interpolation). The basic threshold se- 
cret sharing of Shamir [15] was based upon Lagrange interpolation, namely, the 
construction of a polynomial of degree less than or equal to k from its values 
in A: -|- 1 distinct points. There are two other types of interpolation that are 
encountered in numerical analysis. In such problems, one is given data of the 
form 



d^P 

dxt 



{x^) 



P‘'^\xi) = 



{k+ 1 equations) 



(6) 



and seeks a polynomial of degree less than or equal to k that agrees with the 
given data (6). If for each i (namely, at each interpolation point) the sequence 
of the derivative orders j that are given by (6) is an unbroken sequence that 
starts at zero, j = 0,...,jj, then the problem falls under the framework of 
Hermite interpolation. In that case, the problem always admits a unique solution 
P G Rfc[xj. The more general case is when the data is lacunary in the sense that, 
at some sample points, the sequence of orders of derivatives is either broken or 
does not start from j = 0. This case is referred to as Birkhoff interpolation and 
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it differs radically from the more standard Hermite or Lagrange interpolation. 
In particular, Birkhoff interpolation problems may be ill posed in the sense that 
a solution may not exist or may not be unique. 

In our method, like in Shamir’s, the secret is the free coefficient of some 
polynomial P{x) G Ffe_i[a:], where F is a large finite field and k = km is the 
maximal threshold, i.e., the total number of participants that need to collaborate 
in order to reconstruct the secret. Each participant u G U is given an identity 
in the field, denoted also u, and a share that equals (u) for some derivative 
order j that depends on the position of u in the hierarchy. The idea is that 
the more important participants (namely, participants who belong to levels with 
lower index) will get shares with lower derivative orders, since lower derivatives 
carry more information than higher derivatives. By choosing the derivative orders 
properly, this allocation of shares dictates the threshold access requirements 
(1). As a consequence, when an authorized subset collaborates and attempts to 
recover the secret, they need to solve a Birkhoff interpolation problem. Hence, a 
great part of our analysis is devoted to the question of how to assign participants 
with identities in the field so that the Birkhoff interpolation problems that are 
associated with the authorized subsets would be well posed. 

Organization of the paper. In Section 2 we review the basic terminology and 
results from the theory of Birkhoff interpolation [12]. We present those results 
in the context of the reals, K, which is the natural context in numerical analysis. 
However, as K is not the field of choice in cryptography, one should be very 
careful when borrowing results from such a theory and migrating them to the 
context of finite fields. The algebraic statements usually travel well and survive 
the migration; the analytic ones, however, might not. Part of our analysis later 
on will be dedicated to those issues. Section 3 is devoted to our scheme. After 
presenting the scheme, we discuss in Section 3.1 conditions for accessibility, (2), 
and perfect security, (3). Then, we proceed to examine strategies for allocat- 
ing participant identities in the underlying finite field so that accessibility and 
perfect security are achieved. In Section 3.2 we consider the strategy of random 
allocation of participant identities and prove that such a strategy guarantees that 
both (2) and (3) hold with almost certainty. In Section 3.3 we consider a simple 
monotone allocation of participant identities. Borrowing an interesting result 
from the theory of Birkhoff interpolation, we prove that such an allocation is 
guaranteed to provide both accessibility and perfect security, (2)-|-(3), provided 
that the prime order of the field is sufficiently large with respect to n (number of 
participants) and km (minimal number of participants in an authorized subset). 
Theorem 4. 

Related work. The problem of secret sharing in hierarchical (or multilevel) 
structures, was studied before under different assumptions, e.g. [3,5,6,7,16,17]. 
Already Shamir, in his seminal work [15], has recognized that in some settings it 
would be desired to grant different capabilities to different participants according 
to their level of authority. He suggested to accomplish that by giving the partic- 
ipants of the more capable levels a greater number of shares. More precisely, if lA 
has an hierarchical structure as in Definition 1, the participants in Ui, 0 < i < m, 
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get Wi shares of the form {u,P{u}), t6 G F, where wg > wi > ■ ■ ■ > Wm- This 
way, the number of participants from a higher level that would be required in 
order to reconstruct the secret would be smaller than the number of participants 
from a lower level that would need to cooperate towards that end. 

Simmons [16], and later Brickell [5], considered a similar, yet slightly more 
rigid setting. Assume a scenario where an electronic fund transfer (up to some 
maximum amount) may be authorized by any two vice presidents of a bank, or, 
alternatively, by any three senior tellers. A natural requirement in such a scenario 
is that also a mixed group of one vice president and two senior tellers could 
recover the private key that is necessary to sign and authorize such a transfer. 
Motivated by this example, Simmons studied a general hierarchical threshold 
secret sharing problem that agrees with the problem in Definition 1 with one 
difference: while we require in (1) a conjunction oi threshold conditions, Simmons 
studied the problem with a disjunction of the threshold conditions. Namely, in 
his version of the problem, 

A = {V C W : G {0, 1, . . . , m} for which |V IT | > . (7) 

His solution to that version is based on a geometric construction that was pre- 
sented by Blakley [4]. Assume that the secret S is d-dimensional (typically d = 1; 
however, Simmon’s construction may easily deal with the simultaneous sharing 
of d > 1 secrets as well). Then the construction is embedded in F*", where F is a 
large finite field and r = km -I- d — 1. Simmons suggests to construct a chain of 
affine subspaces >Vo C >Vi C • • • C Wm of dimensions — 1, 0 < z < m, together 
with a publicly known affine subspace Ws of dimension d, with the property that 
Wi n Ws = {S'} for all 0 < z < TO (i.e., each Wi intersects Ws in a single point 
whose d coordinates in Ws are the d components of the secret S). Then, each 
participant from level Hi gets a point in Wi \ Wi-i, 0 < i < m (>V_i = 0), 
such that every ki points from Uj^gUj span the entire subspace Wi. Hence, if 
a subset of participants V satisfies at least one of the threshold conditions, say, 
|vn(u;.^oZ^,)| > ki for some z, 0 < z < to, then the corresponding Wi may be 
constructed and intersected with W5 to yield the secret S. 

Shamir’s version of the hierarchical setting is slightly more relaxed than Sim- 
mons’. In the former, the number of participants that are required for recovery is 
determined by a weighted average of the thresholds that are associated with each 
of the levels that are represented in the subset of participants. In the latter, the 
necessary number of participants is the highest of the thresholds that are asso- 
ciated with the levels that are represented. However, it is natural to expect that 
more rigid conditions will be imposed in some scenarios. Namely, even though 
higher level (i.e., important) participants could be replaced by lower level ones, 
a minimal number of higher level participants would still need to be involved 
in any recovery of the secret. For example, the common practice of authorizing 
electronic fund transfers does call for the presence of at least one vice president 
or manager department. The above described solutions of Shamir and Simmons 
are incapable of imposing such restrictions since they allow the recovery of the 
secret for any subset of lower-level participants that is sufficiently large. This 
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difference in the definition of the problem is manifested by the replacement of 
the existential quantifier 3 in (7) with the universal quantifier V in (1). 

We note that none of the above mentioned explicit secret sharing schemes 
that are suitable for hierarchical structures (i.e., the first solution of splitting the 
secret to m+1 sub-secrets, Benaloh and Leichter’s monotone circuit construction, 
Shamir’s scheme and Simmons’ scheme) is ideal. The scheme introduced herein 
is. 

Padro and Saez [13] studied the information rate of secret sharing schemes 
with a bipartite access structure. A bipartite access structure is one in which 
there are two levels of participants, lA = Uq U Ui, and all participants in the 
same level play an equivalent role in the structure. They showed that the ideal 
bipartite access structures are exactly those that are vector space access struc- 
tures, namely, are consistent with Brickell’s construction [5]. Furthermore, they 
showed that all such ideal access structures are quasi-threshold in the sense that 
a subset V <Z U is authorized if jVj, |V C\Uq\ and |V C\U\\ satisfy some thresh- 
old conditions [13, Theorem 5]. They characterized four types of quasi-threshold 
access structures, denoted fii, 1 < f < 4. It may be shown that when there are 
two levels, i.e., to = 1, our conjunctive problem, (1), is consistent with type Q 2 
or 1 ? 3 , while Simmons’ disjunctive problem, (7), agrees with f2i. What we show 
in this paper is that in the multi-partite case, the conjunctive threshold access 
structures are vector access structures and that Birkhoff interpolation yields an 
explicit construction. 

2 Birkhoff Interpolation 

Let X = {x\, . . . , Xk\ be a given set of points in K, where x\ < X 2 < ■ ■ ■ < Xk, 
E = be a matrix with binary entries, I{E) = {{i,j) : Cij = 1}, 

d = \I{E)\, and C = {cij : (i,j) G I{E)} be a set of d real values (we assume 
hereinafter that the right-most column in E is nonzero). Then the Birkhoff in- 
terpolation problem that corresponds to the triplet {X, E, C) is the problem of 
finding a polynomial P{x) G Kd_i[x] that satisfies the d equalities 

p(-j)(x,) = Cij , (i,j)€l{E). (8) 

The matrix E is called the interpolation matrix. 

Unlike Lagrange or Hermite interpolation that are unconditionally well- 
posed, the Birkhoff interpolation problem may not admit a unique solution. 
The pair (A, E) is called regular if the system (8) has a unique solution for any 
choice of (7, and singular otherwise. The matrix E is called regular or poised if 
{X, E) is regular for all X = {x\ < a ;2 < • • • < C K. 

The following lemma provides a simple necessary condition that E must 
satisfy, lest {X,E) would be singular for all X [14]. 

Lemma 1. (Polya’s condition) A necessary condition that the interpolation ma- 
trix E must satisfy in order for the corresponding Birkhoff interpolation problem 
to be well posed is that 

\{{i,j)€l{E) : j <t}\>t+l , 0<t<^. (9) 
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Polya’s is a necessary condition. Sufficient conditions, on the other hand, are 
scarce. We continue to describe one such condition that will serve us later on in 
our application to secret sharing. To this end we define the following. 

Definition 2. A 1-sequence in the interpolation matrix E is a maximal run of 
consecutive Is in a row of the matrix E. Namely, a triplet of the form (i,jo,ji) 
where 1 < i < fc, 0 < jo < ji < such that etj = 1 for all jo < j < ji while 
= 0 (letting Ci-i = = Q). A 1-sequence (t, jo, ji) is called 

supported if E has Is both to the northwest and southwest of the leading entry 
in the sequence, i.e., there exist inw < i, isw > i and jnw,jsw < jo such that 
Sinm.inm = ~ I’ 

The following theorem was first proved by K. Atkinson and A. Sharma [1]. 

Theorem 1. Assume that x\ < X 2 < ■ ■ ■ < Xk- Then the interpolation problem 
(8) has a unique solution if the interpolation matrix E satisfies Polya’s condition 
and contains no supported 1-sequences of odd length. 



Lemma 1, being algebraic, is not restricted to the reals and applies over 
any field. Theorem 1, on the other hand, relies upon the existence of order in 
K. Hence, as finite fields are not ordered. Theorem 1 does not apply to them. 
However, Theorem 1 may be of use over finite fields as well if we impose further 
restrictions on the set of points in X. This will be dealt with in Section 3.3. 

3 An Ideal Hierarchical Secret Sharing Scheme 

Consider the hierarchical secret sharing problem (k,n), k = {fci}™Q, as defined 
in Definition 1. Let F be a finite field of large size, say Fg where 5 is a prime 
number. The size of the field is determined by the size of the secret S (for 
example, if S is an AES key then q should be at least 128 bits long). Let k = km 
be the overall number of participants that are required for recovery of the secret. 
Then the dealer selects a random polynomial P{x) G Ffe_i[a;], where 

fe-i 

P{x) = '^^Oix’ and oq = S , (10) 

i=0 

and then distributes shares to all participants u G U in the following manner. 
First, each participant is identified with a field element, which we also denote 
by u (i.e., U may be viewed as a subset of the field F). Then, each participant of 
the tth level in the hierarchy, u G Ui, 0 < i < m, receives the share P^^'-^^(u), 
i.e., the (fci_i)th derivative of P(x) at x = u, where fc_i = 0. This scheme is 
of-course ideal, as every participant receives a share that is a field element, just 
like the secret. Note that the Shamir secret sharing scheme [15] is a special case 
of our scheme since in that case all users belong to the same level (i.e., U = Uq) 
and, consequently, there are no derivatives and all users get shares of the form 
Pin). 
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3.1 Conditions for Accessibility and Perfect Security 

The main questions that arise with regard to the scheme are whether it complies 
with conditions (2) and (3). Let V = {wi, . . . , 'C|v|} C U and assume that 



vi,...,vi„ G Wo 
G Wi 



where Q < < ■ ■ ■ < = \V\ ■ 






( 11 ) 



V is authorized if and only if £i > ki for all 0 < i < m. Let r : F — >■ F* be 
defined as r(x) = (1, x, . . . , and, for all z > 0, let r^®)(x) denote the 

zth derivative of that vector. Using this notation, we observe that the share that 
is distributed to participants zz G is a{u) = • a where a = (oq = 

S,ai, . . . , Gk-i) is the vector of coefficients of P{x). Hence, when all participants 
of V, (11), pool together their shares, the system that they need to solve in the 
unknown vector a is Mya = cr, where the coefficient matrix is (written by its 
rows), 

Mv= (r{vi),...,r{vej ; ; 



, (12) 

while 

(T = (ct(z;i), cr(z;2), • ■ • , cr{ve„,)V ■ 

In view of the discussion in Section 2, the matrix My is not always solvable even 
if V G U. Our first observation is as follows. 

Proposition 1. The Birkhoff interpolation problem that needs to be solved by 
an authorized subset satisfies Polya’s condition (9). 

Next, assume that 0 G W is a special phantom participant and that it belongs 
to the highest level Uq. This assumption enables us to answer both questions of 
accessibility and perfect security by examining the regularity of certain matrices. 

Theorem 2. Assume that 0 G Wq and that for any minimal authorized subset 
V G T (namely, |V| = k), the corresponding square matrix My, (12), is regu- 
lar, i.e., detMy yf 0 zn F. Then conditions (2) (accessibility) and (3) (perfect 
security) hold. 



Proof. Let V be a ’’genuine” authorized subset, namely V G P and 0 ^ V. If V 
is minimal, |V| = k, then My is square and regular; therefore, V may recover the 
polynomial P{x) and, consequently, the secret S. If V is not minimal, |V| > k, 
there exists a subset Vo C V of size |Vo| = k that is authorized. Since all |V| 
equations in the linear system of equations My a = cr are consistent and since, by 
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assumption, the sub-matrix Mvq is regular, then Mya = cr has a unique solution 
a, the first component of which is the secret S. Therefore, the assumptions of 
the theorem imply accessibility. 

Next, we prove that those assumptions also imply the perfect security of 
the scheme. Let V € \ T be an unauthorized subset and assume that V 

is as in (11). We aim at showing that even if all participants in V pool their 
shares together, they cannot reveal a thing about the secret S. Every unautho- 
rized subset may be completed into an authorized subset (though not necessarily 
minimal) by adding to it at most k participants. Without loss of generality, we 
may assume that V is missing only one participant in order to become autho- 
rized. Therefore, if we add to V the phantom participant 0 we get an authorized 
subset, Vi = {0} U V G T, since 0 belongs to the highest level Uq. 

Let us assume first that \V\ = k — 1. Then |Vi| = k and, consequently, 
is square and regular. Therefore, the row in My^ that corresponds to the user 0 
is independent of the rows that correspond to the original k — 1 members of V, 
i.e., 

r(0) = (1, 0, . . . , 0) ^ row-space(My) . 

Hence, the value of the secret S is completely independent of the shares of V. 

Next, assume that |V| > k — 1. Assume that the single participant that V 
is missing in order to become authorized is missing at the jth level for some 
0 < j < m; i.e., using the notations of (11), 

£i > ki 0 < z < j — 1 , £j = kj — 1 and £i > ki — 1 j + 1 < i < m . (13) 

Since \V\ = tm > k — 1, vie conclude that £m — £j > k — kj. All Irn — £j rows 
in My that correspond to the participants of V from levels Uj+\ through Um 
have at least kj leading zeros, since they all correspond to derivatives of order 
kj or higher. Therefore, those rows belong to a subspace of of dimension 
k — kj. Hence, we may extract from among them k — kj rows that still span the 
same subspace as the original £rn — £j rows. Let W denote the subset of V that 
corresponds to the {tm ~ £j) ~ {k — kj) redundant rows from among the last 
£m — £j rows in My; let Vo = V \ W. By (13), 

|Vo| = |V| - |W| =t^~ [(£„ - £j) - (fc - k,)] =lj + k-kj=k-\. 

Clearly, the removal from V of the participants in W cannot create new deficien- 
cies, whence, Vq, like V, also lacks only a single participant at the jth level in 
order to become authorized. Hence, we may apply to it our previous arguments 
and conclude that 



r(0) = (1, 0, . . . , 0) ^ row-space(Myg) . 



But since 



row-space(Myu) = row-space(My) , 
we arrive at the sought-after conclusion that 



r(0) = (1, 0, . . . , 0) ^ row-space(My) , 



which implies perfect security. 
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3.2 Random Allocation of Participant Identities 



The first strategy of allocating participant identities that we consider is the 
random one. Namely, recalling that \U\ = n and |F| = q, the random strategy is 
such that 



Prob(ZY = W) 




VWCF\{0} , \W\ = n . 



(14) 



Theorem 3. Assume a random allocation of participant identities, (14)- Let V 
be a randomly selected subset from 2^. Then ifVGT 

Prob{H{S\a(y)) = 0)>l-e , (15) 

while otherwise 

Prob {H{S\a{V)) = H{S)) > 1 - e , 

where 

_ {k-2){k-l) 

2{q-k) 

Proof. Let V G T be an authorized subset, not necessarily minimal. In view of 
Theorem 2 there exists a minimal authorized subset Vo (i.e., |Vo| = k) such that 
if det Mvo yf 0, V may recover S. On the other hand, we saw in Theorem 2 that 
if 0 G and V ^ T is an unauthorized subset, there exists a minimal authorized 
subset Vo such that det Mvq yf 0 implies that V cannot learn any information 
about S. 

Hence, in order to prove both statements of the theorem, (15) and (16), 
it suffices to assume that 0 G Uq and then show that if V G T is a minimal 
authorized subset, Mv has a nonzero determinant in probability at least 1 — £. 

To that end, let V be such a subset and assume that its participants are 
ordered according to their position in the hierarchy, (11). We proceed to show 
that 

Prob(det(Mv) = 0) < . (18) 

2[q-k) 

Noting that (18) clearly holds when fc = 1,2, we continue by induction on k. 
There are two cases to consider: 

1. The last row in M\> is r*^^^(ufc) where h < k—1 (this happens if km-i < km — ^ 
or if V r\Um = 0). 

2. The last row in My is v^^~^'>{vk) (this happens when km-i = km — 1 and 
V C\Um y^ 0; in that case Vk is the only participant in V C\Um)- 

We begin by handling the first case. Let v = {vi, . . . ,Vk-i) and (v,Ufe) = 
(ui, . . . , Vk)- Let Hk-i = /Xfc_i(v) denote the determinant of the (A: — 1) x (fc — 1) 
minor of My that is obtained by removing the last row and last column in My. 
Then 

k—2 — h 

det(My) = ^ c,vl + ^ • ^ik-l ■ , 



(16) 

(17) 



(19) 
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for some constants Ci that depend on v. Let fl denote the collection of all v G 
pfc-i which )J,k-i = Mfe-i(v) = 0. Then 

Prob(det(Mv) = 0) = 



= ^ Prob(det(Mv) = 0|v)-Prob(v)+^ Prob(det(My) = 0|v)-Prob(v) . 

( 20 ) 

If V G F* ^ \ 17 then det(Mv) is a polynomial of degree k — 1 — h in Vk, (19). 
Hence, there are at most k — 1 — h values of Vk for which det(Mv) = 0. This 
implies that 

Prob(det(Mv) = 0|v) < . ^ \ ^ (21) 



(recall that the participant identities are distinct and are randomly selected from 
F\{0}). Note that h could take any value between 0 and k — 2. However, if ft, = 0 
it means that all participants in V belong to the highest level, so that My is a 
Vandermonde matrix. In that case, the matrix is invertible and, consequently, 
Prob(det(My) = 0) = 0. Therefore, the worst case in (21) is when ft = 1. Hence, 
we rewrite (21) as follows: 

Prob(det(Mv) = 0|v) < Vv G F'=-^ \ 12 . (22) 

q — k 



If V G 17 then the degree of det(Mv) as a polynomial in Vk is less than ft — 1 — ft. 
The problem is that it may completely vanish and then det(My) would be zero 
for all values of Vk- However, as v is a vector of dimension ft — 1, we may invoke 
the induction assumption (i.e., (18) for ft — 1) and conclude that 



Prob(v G 17) < 



(ft-3)(fc-2) 
2{q — ft + 1) 



(23) 



Finally, combining (20), (22) and (23) we may prove (18) in this case: 



Prob(det(My) 



0 )< 



ft -2 
q — k 



(ft-3)(ft-2) (ft-2)(ft-l) 

2{q — k + 1) ~ 2{q — k) 



In the second case, det(My) does not depend on Vk as the last row in the 
matrix in this case is (0, ... , 0, (ft— 1)!). Hence, we may solve for ak-i and reduce 
the system to a system in only (ft — 1) unknowns, {ailjTg^. Consequently, we may 
apply induction in order to conclude that 



Prob (det(My) 



^ (ft-3)(ft-2) (ft-2)(ft-l) 

“ 2(<7 — ft + 1) 2{q — k) 



The proof is thus complete. 

Theorem 3 implies that if ft, the number of overall participants that are 
required in an authorized subset, is a small number, the failure probability is 
0{l/q) and therefore negligible, as it is equivalent to the probability of simply 
guessing the secret. 
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Corollary 1. Assume a random allocation of participant identities, (14)- Then 
the probability that the resulting scheme has accessibility, (2), for all authorized 
subsets and and perfect security, (3), for all unauthorized subsets is at least 
1 — ("^^) • s, where e is as in (17). 

The random allocation is therefore a safe bet. Since usually n and k are not 
too large, the dealer may adopt this strategy and be certain in a high probability 
that both requirements - accessibility, and perfect security - will be satisfied. 

3.3 Monotone Allocation of Participant Identities 

Here, we present a simple allocation method that guarantees both accessibility, 
(2), and perfect security, (3), if the size of the underling field, q, is sufficiently 
large. 

For every 0 < i < m we define Ui = \ U}=o^*l n_i = 0. The simpler 

version of our method associates all Ui — members of Ui with the identities 
[ni_i + 1, Ui] C F. The more flexible version of this method leaves gaps between 
the m + 1 intervals of identities, in order to allow new participants to be added 
to any level while still maintaining the monotonic principle, 

u GUi , V GUj , i < j ^ u < V , (24) 

where the inequality is in the usual sense between integers in the interval [0, ( 7 — 1 ]. 

In Lemma 2 and Theorem 4 we prove that this method guarantees acces- 
sibility and perfect security, (2)-|-(3), provided that the size of the underlying 
field, q, is sufficiently large with respect to the parameters of the problem. In 
Lemma 2 we prove our basic lower bound on q that guarantees these two condi- 
tions. Then, in Theorem 4, we use the bound of Lemma 2 and carry out a more 
delicate analysis that yields a better bound. 

Lemma 2. Let (k, n) be a hierarchical secret sharing problem. Assume that the 
participants in U were assigned identities m F in a monotone manner, namely, 
in concert with condition (24), and let N = ra&yJA. Finally, assume that 

2~^ ■ {k + l)('=+i)/2 . AT(fe-i)fc/2 < ^ = |]F| ^ (25) 

(where k = km is the minimal size of an authorized subset). Then our hierarchical 
secret sharing scheme satisfies conditions (2) and (3). 



Proof. In view of Theorem 2, it suffices to prove that if V G T is a minimal 
authorized subset, that may include the phantom participant rt = 0, then the 
corresponding square matrix My, (12), is regular. Without loss of generality we 
assume that the participant identities in V are given by (11) (with Im = k) and 
that they are ordered in the usual sense in M, vi < W 2 < • • • < v^. First, we prove 
that 



det Mv yf 0 in K . 



(26) 
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Then, invoking (25), we shall prove that 

|detMv|<g in K. (27) 

Combining (26) and (27) we conclude that detMy ^ 0 in F = Zg, as required. 

In order to prove (26), we observe that the interpolation matrix E that 
corresponds to the Birkhoff interpolation problem with which the participants 
in V are faced, has an echelon form. Indeed, all rows have exactly one entry 
that equals 1, and the position of the 1 is monotonically non-decreasing as we 
go down the rows of if: in the first io rows we encounter the 1 in column j = 0, 
in the next — £o rows the 1 appears in column j = £q and so forth. Hence, the 
matrix E has no supported 1-sequences in the sense of Definition 2. Recalling 
Proposition 1, we infer that the conditions of Theorem 1 are satisfied. Therefore, 
the corresponding Birkhoff interpolation problem is well-posed over K, (26). 

In order to bound the determinant of My, we invoke Hadamard’s maximal 
determinant theorem [8, problem 523]. According to that theorem, if A is a A: x A: 
real matrix, and 



, 0<A,j<fc-l, 


(28) 


|det(A)| < 2 -'=-(fc+l)('=+i )/2 ^ 


(29) 



Let A be the matrix that is obtained from My if we divide its jth column by 
0 < j < k — 1. Since that matrix A satisfies condition (28), we conclude, in 
view of (29) and (25), that My satisfies (27). That completes the proof. 

Theorem 4. Under the conditions of Lemma 2, the hierarchical secret sharing 
scheme satisfies conditions (2) and (3) provided that 

<q=\V\ where a{k) ■.= 2-^+"^ ■ {k - ■ {k - l)\ . 

(30) 



Proof. Assume that V G T is as in (11), and assume that it has k participants 
whose identities are ordered in the usual sense in M, yi < V 2 < ■ ■ ■ < Vk- Let 
di, 1 < i < k, be the order of derivative of the share that Vi got. Namely, in 
view of (11) and (12), = 0 for 1 < z < di = A:q for Aq + 1 < * < and 

so forth. We refer to d = (di, . . . , d^) as the type of the interpolation problem 
that needs to be solved by the participants of V since it characterizes the form 
of the coefficient matrix My, (12). Finally, let t be the largest integer such that 
di = i — 1 for all 1 < i < A. We note that t is well defined and A > 1 since always 
di = 0 (i.e., V must always include at least one participant of the highest level 
Uo). 

Let V denote the problem of recovering P from the shares of {vi}\<i<k- We 
claim that V may be decomposed into two independent problems that may be 
solved in succession: 

~ Problem V\. Recovering (namely, the coefficients oz. A— 1 < i < k— 1, 

see (10)) from the shares of A < A < k. 
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— Problem V^- Recovering a^-i from the share of Vi, for i = t — 1, . . . ,1. 



Indeed, the equations that correspond to the k—t+ \ last participants - {vi\t<i<k 
- involve only the k — t + I coefficients {ai}t-i<i<k-i (note that if t = 1, V\ 
coincides with the original problem V and then V 2 is rendered void). Hence, we 
may first concentrate on solving the (possibly reduced) interpolation problem 
Vi- If that problem is solvable, we may proceed to problem V 2 - That problem is 
always solvable by the following simple procedure: for every = we 

perform one integration and then, using the share of Vi, we recover the coefficient 
ai-i of P. Hence, we may concentrate on determining a sufficient condition for 
the solvability of Pi. That condition will guarantee also the solvability of P. 
(Note that P\ still satisfies Polya’s condition. Lemma 1.) 

The dimension of the interpolation problem is A: — f + 1. Hence, since 
the left hand side in (30) is monotonically increasing in k, we may concentrate 
here on the worst case where t = I and the dimension of 7^i is k (namely. 
Pi = P). The main observation, that justifies this preliminary discussion and 
the decomposition of P into two sub-problems, is that in the type d of Pi, 
di = d .2 = 0. Indeed, di = 0 and d ,2 < I as enforced by Polya’s condition; 
moreover, ^2 1 for otherwise t> 2, as opposed to our assumption that t = 1. 

With this in mind, we define s > 2 to be the maximal integer for which dj = 0 
for all 1 < z < s. 

Next, we write down the system of linear equations that characterizes the 
interpolation problem Pi. To that end, we prefer to look for the polynomial 
P in its Newton form with respect to {vi}i<i<k (as opposed to its standard 
representation (10)): 

fc-i j 

j=0 i=l 



Writing down the system of linear equations in the unknowns {cj}o<j<k-i, we 
see that the corresponding coefficient matrix, M = My, has a block triangular 
form. 



M = 



(Bi 0 



(32) 



where the upper-left s x s block is given by 



Bi 



/I 0 0 0 

1 V2 — Vi 0 0 

1 W3 - z;i nLi(fo “ fo) 0 

\i Vs- vi nLi(fo - nLi(fo 



0 

0 

0 



Vi) 






\ 



Vi)/ 



(33) 



(we use the notation M in order to distinguish this matrix from M = My, 
(12), that was the coefficient matrix in the linear system for the unknowns 
in the standard representation of the interpolant P{x), (10)). Invoking the same 
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arguments as in Lemma 2, we conclude that 

det M ^ 0 in K . (34) 

We need to show that 

det M ^ 0 in F . (35) 

In order to prove (35), we first invoke (32) to conclude that 

det M = det Bi ■ det . (36) 

As N < q, all terms on the diagonal of Bi, (33), are nonzero in F, so that B\ is 
invertible over F. Therefore, by (36), we only need to show that 

det B 3 yf 0 in F , (37) 

in order to prove (35). Since det B 3 yf 0 in R, as implied by (34) and (36), this 

amounts to showing that 



I det B^\ < q in R . (38) 

In order to prove (38), we shall show that 

< j • for all s + 1 < i < fc , s < j < fc — 1 (39) 

(note that the rows of M correspond to Vi, 1 < i < k, while the columns of M 
correspond to the unknown coefficient Cj, 0 < j < k—1). Then, we may proceed 
to prove (38) using Hadamard’s inequality: let A be the matrix that is obtained 
from i ?3 after dividing its jth column, s < j < k — l,hy j ■ N^~^. Then according 
to (39), the normalized block A satisfies condition (28) of Hadamard’s maximal 
determinant theorem. Hence, by (29), 

I det H| < 2 -'=+" • (fc - s + i)(k-s+i )/2 
Consequently, since s > 2, 

I det H3I = I det H|- j ■ j < 2 -'=+ 2 .(A:-l)('=-i)/ 2 .(fc-l)!-iV('=-i)('=- 2)/2 ^ 

(40) 

Inequalities (40) and (30) prove (38). 

The only missing link is (39). In order to prove this inequality, we need 
to derive an expression for the derivatives of P{x), (31). Let us introduce the 
notations 



3 

Z=1 



dx^ 



0 < J < /c-1 , h>Q . (41) 
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Then, since Pj^u = 0 for all j < h, 

k-l 

= . (42) 

j^h 

The expression for Pj^h{x) is given by 

= J2{n(gi,-,gh)i^) ■ i9i,---,9h) &G{j,h)} , (43) 

where G{j, h) is the set of all ordered selections of h elements from 

and 

n(gi,...,gH)i^) = Y[{{x-Vi) : ie{l,...,j}\{gi,...,gh}} ■ (44) 

Setting X = Vi, for some s + 1 < ^ < fc, in (42), we see that the £th row in M 
takes the form 

{Mij)o<j<k-i = {O ■ ■ ■ 0 Ph,h{vi) ■ ■ ■ Pk-i,h{vi)) , (45) 

where h = di is the order of derivative of the share of Vi. From (43), 

\P]A'>^e)\ ^ \G{j,h)\- max Jil(gi,...,3^)(?^<?)| ■ 

Since, by (44), |^( 3 i,...,gfe)(w^)| < N^~^, we conclude that 

\Pg,h{vi)\<jj^^-N^-^ , h<j<k-l. (46) 

As the definition of s implies that /i > 1 for all rows s + 1 < £ < k, and since 
j < A: — 1 < iV, we infer by (46) and (45) that 

, h<j<k-l. (47) 

Since, by (45), the inequality in (47) holds trivially for columns 0 < j < h — 1 
as well, that proves (39). The proof of the theorem is thus complete. 

Condition (30) is pretty sharp. It may be seen that the worst scenario is 
that in which d = (0, 0, 1, . . . , 1) - namely, /cq = 1 (the number of participants 
from Uq must be at least 1) and there are two participants from Uq while all the 
rest are from I4i. In such cases, the (real) determinant of the block in the 
matrix of coefficients M is though the constant a{k) may be 

somewhat improved. 

Table 1 includes for each value of fc, 5 < fc < 8, the maximal value of N for 
which the original condition, (25), and the improved one, (30), still holds when 
the secret to be shared is an AES key (namely, q is of size 128 bits). The figures 
in the table demonstrate the exponential drop in the capacity of the scheme, N, 
when k increases. However, this should not be worrisome because n and k in 
any plausible real-life application are usually small. In the unlikely scenario of k 
and N so large that condition (30) fails to hold for any prime q of the size of the 
secret to be shared, we may always go back to the random allocation strategy 
that was described in the previous section. 
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Table 1. Values of k and N that satisfy conditions (25) and (30) 



k 


Condition (25) 


Condition (30) 


■5 


N < 5497 


A < 1234795 


6 


N < 296 


A < 3637 


7 


A < 56 


A < 200 


8 


A < 19 


A < 38 



4 An Ideal Scheme for the Disjunctive Hierarchical 
Secret Sharing Problem 

As described in the Introduction, Simmons [16] studied a closely related hierar- 
chical secret sharing problem, where the conjunction of threshold conditions is 
replaced by a disjunction (compare (1) to (7)). His solution to the problem was 
not ideal. Using the ideal secret sharing scheme that we presented herein for the 
conjunctive version of the problem, we may get an ideal secret sharing scheme 
also for the disjunctive version. 

Karchmer and Wigderson [11] introduced monotone span programs as a linear 
algebraic model of computation for computing monotone functions. A monotone 
span program (MSP hereinafter) is a quintuple Ai = (F, M,14, 4>, e) where F is a 
field, M is a matrix of dimensions a x b over ¥, 14 = {ui, . . . , w„} is a finite set, 
4> is a, surjective function from {1, . . . , a} to 14, which is thought of as labeling of 
the rows of M, and e is some target row vector from F^. The MSP Jx[ realizes 
the monotone access structure F C 2^ when V G U if and only if e is spanned 
by the rows of the matrix M whose labels belong to V. The size of Ai is a, the 
number of rows in M. Namely, in the terminology of secret sharing, the size of 
the MSP is the total number of shares that were distributed to all participants 
in U. An MSP is ideal if a = n. 

If T is a monotone access structure over U, its dual is defined by F* = {V : 

^ F}. It is easy to see that F* is also monotone. In [10] it was shown that if 
Ai = (F, M,U, (j), e) is a MSP that realizes a monotone access structure F, then 
there exists a MSP Ai* = {¥,M* ,l4,<p,e*) of the same size like Ai that realizes 
the dual access structure F*. Hence, an access structure is ideal if and only if 
its dual is. 

Returning to the disjunctive hierarchial access structure that was studied by 
Simmons, (7), we claim the following straightforward proposition. 

Proposition 2. Let U = ^ ~ Definition 1. Let 

F be the corresponding disjunctive access structure as defined in (7). Then F* 
is the conjunctive access structure that is defined in Definition 1 with thresholds 
k* = where k* = \ U}=o^il ~ ki + I, 0 < i <m. 

Since the conjunctive hierarchial access structure is ideal, at least over fields 
that are sufficiently large, we conclude the following. 

Corollary 2. The disjunctive access structure (7) is ideal. 
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Abstract. When it is desired to transmit redundant data over an in- 
secure and bandwidth-constrained channel, it is customary to Hrst com- 
press the redundant data and then encrypt it for security reasons. In this 
paper, we investigate the novelty of reversing the order of these steps, 
i.e. first encrypting and then compressing. Although counter-intuitive, 
we show surprisingly that through the use of coding with side infor- 
mation principles, this reversal in order is indeed possible. In fact, for 
lossless compression, we show that the theoretical compression gain is 
unchanged by performing encryption before compression. We show that 
the cryptographic security of the reversed system is directly related to 
the strength of the key generator. 



1 Introduction 

Consider the problem of transmitting redundant data over an insecure, 
bandwidth-constrained communications channel. It is desirable to both com- 
press and encrypt the data. The traditional way to do this is to first compress 
the data to strip it of its redundancy followed by an encryption of the compressed 
bitstream. In this paper, we investigate the novelty of reversing the order of these 
steps, i.e. first encrypting and then compressing, and the effect of that reversal 
on the compression efficiency and the cryptographic security. 

We present a scheme, based on distributed source coding, that enables us to 
realize this reversal of operations. Our scheme allows us to compress a stationary, 
i.i.d. source that has been encrypted with a stream cipher (cf., [1]) to a rate close 
to the entropy rate of the source. Although the code that is used to compress 
the encrypted source is entirely different from the code that would be used 
to compress the original source, we can in fact compress the encrypted source 
to the same rate as we could have compressed the original source. We focus 
exclusively on this class of stationary, i.i.d. sources in this work. The existence 
of linear codes that achieve these compression gains can be proven in a non- 
constructive manner. Furthermore, recent results from distributed source coding 
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can be applied to this problem to give constructions for codes that can compress 
any i.i.d. source that has been encrypted with a stream cipher. In general, these 
codes will have inefficient decoding algorithms, which limits their usefulness. 
However, for the case of binary i.i.d. sources, we present code constructions from 
the literature that support computationally efficient decoding and still achieve 
compression gains close to the information-theoretic bounds. 

Our scheme requires that the decompression algorithm have access to the 
cryptographic key, but importantly, the compression algorithm does not receive 
the key. The compressor must know the entropy rate of the original source in 
order to select an appropriate code, but it does not use the encryption key. To 
be specific, the compressor only needs to know the entropy rate of the source, 
not the full distribution. Our scheme is statistical in nature, and there is the 
possibility that the output of the decoder will not match the original source. 
We show that for i.i.d. sources this probability of error decreases exponentially 
toward 0 as the blocklength of the code increases. 

While we focus here on the theoretical feasibility of our claim, we have uncov- 
ered a few application scenarios of possible interest. In one scenario, the genera- 
tor of the redundant data (the content author) has no incentive to compress the 
data as it is not interested in saving bandwidth that it does not own at the cost 
of unnecessary computational complexity. Nevertheless, the content generator 
is very interested in protecting the privacy of the content via encryption. This 
content is typically distributed to its client base by a content distribution unit 
which has great incentive to remove all redundancy from the content in order to 
maximize its network utilization. However, there is no trust between the content 
generator and the compressor, so the former will supply only encrypted data to 
the latter. Our scheme allows the compressing unit to compress the encrypted 
data at the same efficiency as if it was compressing the original, unencrypted 
data, even though the compressor does not have access to the key used in the 
encryption step. 

The main contribution of this work is in the identification of the connection 
between the stated problem and distributed source coding, as well as an analy- 
sis of the compression efficiency and cryptographic security of our scheme. This 
paper is organized as follows. Section 2 gives some background information. The 
scheme for compressing encrypted data is presented in Section 3. The crypto- 
graphic security of the scheme is studied in Section 4. Related work is discussed 
in Section 5. Some conclusions and future work are described in Section 6. 



2 Background 

Before describing our solution to the problem of compressing encrypted data, 
we will briefly present some background information. First, we will discuss the 
principles of distributed compression that underpin our solution. Then we will 
cover some concepts from cryptography that will be used to quantify the strength 
of the encryption. 




On Compressing Encrypted Data without the Encryption Key 493 



2.1 Distributed Source Coding 

Distributed source coding considers the problem of separately compressing 
sources X and S that are correlated, where the two compressors cannot com- 
municate with each other. The Slepian-Wolf theorem [2] gives the smallest rates 
required to losslessly communicate X and S to the decoder, when both X and 
S come from memory less sources outputting an unending stream of i.i.d. values. 
The Slepian-Wolf theorem is a non-constructive result that states these smallest 
rates, but does not show how to construct codes that approach the minimum 
rates. For a practical code construction there will be a tradeoff between the 
blocklength and the probability or error, i.e. as the blocklength increases the 
probability of error can be made smaller. However, this theorem also does not 
provide any specific insight what the tradeoff is. Subsequent work by Csiszar [3], 
which we discuss in Theorem 1 in Section 3, has shown that linear codes can 
approach the bounds given by the Slepian-Wolf theorem. 

An important special case of this problem, upon which we will focus, is 
when X needs to be sent to a decoder which has access to the correlated side- 
information S. For this special case, the Slepian-Wolf theorem asserts that the 
minimum rate required to transmit X is given by the conditional entropy (cf., 
[4]) of X given S, denoted by H{X\S) bits/sample. 

While the Slepian-Wolf theorem is non-constructive, there has been some 
recent work that provides practical code constructions to realize these distributed 
compression gains [5] . We will use an example to show the intuition behind these 
constructions. 

We begin by looking at the problem where S is available at both the encoder 
and the decoder, as depicted in Figure 1. In our example, X and S are correlated, 
uniformly distributed binary strings of length 3. The correlation structure is such 
that their Hamming distance is at most 1, i.e. they differ in at most one of the 
three bit positions. For example, if X is 010, then S will equally likely be one 
of the four patterns {010,011,000,110}. The encoder forms the error pattern 
e = X (BS. Because X and S differ in at most one bit position, the error pattern 
e can take on only four possible values, namely {000,001,010,100}. These four 
values can be indexed with two bits. That index is transmitted to the decoder, 
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Fig. 1. A source coding with side information problem: The side information 
S is available at both the encoder and the decoder. 
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Fig. 2. A source coding with side information problem: X and S are three bit 
binary sequences which differ by at most one bit. S is available only at the decoder. 
The encoder can compress X to two bits by sending the index of the coset in which X 
occurs. 



which looks up the error pattern corresponding to the index received from the 
encoder, and then computes X = e (B S. 

Now, we consider the case in Figure 2 where S is available at the decoder, 
but not the encoder. Without S, the encoder cannot form the error pattern e. 
However, it is still possible for the encoder to compress X to two bits and for 
the decoder to reconstruct X without error. The reason behind this surprising 
fact is that there is no reason for the encoder to spend any bits to differentiate 
between X = 000 and X = 111. The Hamming distance of 3 between these two 
codewords is sufficiently large to enable the decoder to correctly decode X based 
on its access to S and the knowledge that S is within a Hamming distance of 1 
from X. If the decoder knows X to be either X = 000 or A = 111, it can resolve 
this ambiguity by checking which of the two is closer in Hamming distance to 
S, and declare that codeword to be X. We observe that the set {000,111} is a 
3-bit repetition code with a Hamming distance of 3. 

Likewise, in addition to the set {000,111}, we can consider the following 3 
sets for X: {100,011}, {010,101}, and {001,110}. Each of these sets is composed 
of two codewords whose Hamming distance is 3. These sets are the cosets of 
the 3-bit repetition code. While we typically use the set {000,111} as the 3-bit 
repetition code (0 is encoded as 000, and 1 as 111), it is clear that one could 
just as easily have used any of the other three cosets with the same performance. 
Also, these 4 sets cover the complete space of binary 3-tuples that X can assume. 
Thus, instead of describing X by its 3-bit value, all we need to do is to encode 
the coset in which X occurs. There are 4 cosets, so we need only 2 bits to index 
the cosets. We can compress A to 2 bits, just as in the case where S was available 
at both the encoder and decoder. 

In practical situations, the correlation structure between A and S is often 
not as simple as in this example. For instance, A and S could be three-bit binary 
numbers such that the Hamming distance between A and S is equal to 0 or 1 
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with probability 1 — 10“®. If we compress X with the same code construction 
as above, then with probability 1 — 10“® the Hamming distance between X and 
S will be at most 1 and X will be equal to X. However, with probability 10“® 
the Hamming distance between X and S will be more than 1. In that case, X 
and X will be different, which means that the decoder has incorrectly decoded 
the message. The important point is that in these code constructions, unlike in 
standard source codes, there is a probability of error at the decoder. 

In practice, we will use a much more complex channel code than the simple 
repetition code. The channel code is chosen based on the correlation structure 
between X and S, so as to minimize the probability of error. However, the 
encoding and decoding procedures are the same as in our three-bit example. 
The encoder finds the coset which contains X and transmits the index of this 
coset. The decoder finds the codeword in the coset denoted by the received index 
which is closest to S in the Hamming metric. 



2.2 Security 

We will express an arbitrary encryption scheme with the notation c = Ek(m). 
Here, m is the plaintext, c is the ciphertext, and k is the key used by the algo- 
rithm. 

We will quantify the security of an encryption scheme against chosen- 
plaintext attacks by means of the concept of left-or-right (LOR) security, which 
was introduced in [6]. The central feature of LOR security is an oracle which 
supplies responses to queries. A query consists of a pair of plaintexts, denoted by 
(a;, y). The response of the oracle will be the encryption of one of the two plain- 
texts in the query. There are two types of oracles. A left oracle, which we denote 
by § 0 j will always return the encryption of the first plaintext in the query. The 
functionality of selecting the first plaintext is denoted by the function §q, where 
we define §o(a;,j/) = x. In contrast, the right oracle uses a selection function, 
written §i, which always returns its second argument: = y. In either 

case, the result of the selection algorithm is encrypted using Ek- Consequently, 
the functionality of the left oracle can be expressed as o §q, and the right 
oracle as o §i. 

In the left-or-right security model, one of the two types of oracles is chosen at 
random. An adversary, denoted by A, attempts to determine whether the oracle 
is a left oracle or a right oracle by making queries to it. Intuitively, if the encryp- 
tion scheme is very weak then the adversary will be able to examine a ciphertext 
response and determine with high probability which of the two plaintexts in the 
query was encrypted. Conversely, for a very strong encryption scheme it is diffi- 
cult to match plaintexts to the corresponding ciphertexts: the adversary cannot 
do much better than randomly picking one of the two plaintexts. 

We use the superscript notation to denote the output of the adversary 

after interacting with a left oracle, and for its result after interacting with 

a right oracle. The output of the adversary will be 0 if the adversary decides that 
the oracle is a left oracle, and 1 if the adversary decides that it is a right oracle. 
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Fig. 3. Secure compression scheme: The data X is first encrypted with a stream 
cipher and then compressed. At the receiver, decoding and decryption are performed 
in a joint step. The eavesdropper sees U, but (as we show) cannot learn anything useful 
about X. 

For left-or-right security, we require that: 

I = 1] - = 1]| < £ 

In this equation, the probability is taken across the distribution of keys k and 

any randomness in the adversary. If this equation holds for all possible adver- 
saries that run in time t and make q or fewer queries to the oracle, then we say 
that the encryption scheme E is (t, q, £r)-LOR-secure. One other cryptographic 
concept which we will use is the variational distance. This distance measures 
the dissimilarity between two probability distributions If D\ and D 2 are two 
probability distributions, then the variational distance V{Di,D 2 ) between the 
two is defined as: 



3 Secure Compression Scheme 

Our scheme for compressing encrypted data is illustrated in Figure 3. The mes- 
sage is first encrypted with a binary stream cipher. The seed K' is used as the 
input to a pseudo-random generator (PRO), whose output is denoted by K. 
The message is encrypted by forming the bitwise binary sum Y = X (B K. Then, 
Y is compressed to obtain the result U = C{Y), and U is transmitted to the 
recipient. The adversary is assumed to be able to eavesdrop on the ciphertext 
U. 

^ The variational distance is related, but not identical, to the K-L divergence (cf., [4]). 
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Throughout this work, we will assume that all sources are memoryless. In 
other words, we have a distribution D on some alphabet X\ the source outputs 
an unending sequence of i.i.d. random variables, each distributed according to 
D. If X denotes the sequence of outputs from such a source, we will sometimes 
write X 2 , etc., for the first, second, etc., output from the source. Also, if X 
is such a source, we write A" for the source that outputs a block of n items from 
A at a time. The first output of A" is (Ai, A 2 , . . . , A„) (which is distributed 
according to D x • • • x £>); the second output of A” is (A„+i, . . . , A 2 „); and so 
on. The entropy rate of the source A is H{D), or sometimes written just H{X); 
consequently, the entropy rate of A” is n- H{X). 

Also, we assume that the seed has been transmitted to the decoder through a 
secure channel. By implementing an identical PRG, the decoder also has access to 
K. This reduces the problem of compressing encrypted data to the distributed 
source coding problem. Y and K are two correlated sources, because Y was 
generated via Y = A © AT. Our goal is to compress A, using the fact that K is 
available at the decoder as side information. The Slepian-Wolf theorem asserts 
that Y can be compressed to a rate of H{Y\K). Because Y = A © AT, it follows 
that H{Y\K) = H{X). Hence, we can compress the encrypted source A to a rate 
H{X), which is the entropy rate of the original source A, conditioned on the 
fact that K is available at the decoder. In order to select a code to perform this 
compression, the encoder needs only to know H{X), not the full distribution on 
A. 



3.1 Theoretical Bounds on Compression Efficiency 

Although the Slepian-Wolf theorem is non-constructive, the distributed source 
coding using syndromes (DISCUS) framework [5] provides a constructive method 
of achieving the coding gains promised by Slepian-Wolf through the use of linear 
codes. In order for the DISCUS encoder to select a code matched to the particular 
source, it only needs to know the entropy rate of the original source, not the full 
distribution. Csiszar showed in [3] that linear codes can achieve the bounds 
given by the Slepian-Wolf theorem as the block length of the code approaches 
00 . Therefore, by restricting our attention to linear codes we do not reduce the 
compression gains that can be achieved. We present the following theorem, which 
is our statement of a more general theorem from Csiszar as applied to our specific 
problem. 

Theorem 1 (Csiszar). Let X and A he memoryless sourees with entropy H{X) 
and H(Y), respectively. Suppose that X and A are correlated, in the following 
sense: we have a joint distribution function f{x, y) which describes the distri- 
bution of {Xi,Yi) for every i. Also, suppose that A" is side-information that is 
available perfectly at the decoder. Then, for every e > 0 and every hlocklength n, 
there exists a linear code C„ for compressing the source A" at an encoding rate of 
n- (i/(A| A) + e) such that the probability Pe of not being able to recover the source 
message correctly at the decoder is bounded above by: Pe < exp{— n-(/(e) + o(n)}. 
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The function g(-) depends on the distribution (X,Y), but not on n. Thus, 
Csiszar’s work shows not only that the probability of error can be made 
arbitrarily small for large blocklengths and rates greater than H{X\Y), but also 
that Pe will decrease exponentially with the blocklength n for suitably chosen 
codes. Although this theorem proves the existence of linear codes that approach 
the Slepian-Wolf bounds, it makes no guarantees on the decoding complexity 
or uniformity of such codes. In general, the codes will require computationally 
inefficient decoding and nonuniform encoding. 

Notice that Csiszar’s result is also non-constructive, in that it proves only 
the existence of a linear code achieving these rates, but does not specify how to 
find such a linear code explicitly. Hence, this result is achieved in a non-uniform 
model of computation: the code might depend in a non-uniform way on e, p, 
X, Y, /, and n; there is no guarantee that we can find a single compression 
algorithm that works for all n. These non-constructive aspects are unfortunate, 
but we do not know how to avoid them. 

The advantage of using a linear code is in the computational complexity 
required to implement the encoder. The encoder divides the encrypted source Y 
into blocks of length n. Each block, which we will denote as Y", is then mapped 
to a value Ui in the set {0, 1}"^, where i? is the rate of the code. Hence, Ui 
can be represented by ni? binary digits. This mapping is performed via a simple 
matrix multiplication, Ui = where H is a matrix of size nR by n that is 

referred to as a parity check matrix in the coding theory literature (cf., [7])^. The 
complexity of the compressor is quadratic in the block length, since the encoder 
compresses each block by performing a single matrix multiplication. 

The parity check matrix used in the encoder corresponds to a particular 
code. This code in turn partitions the space of all n bit binary numbers into 
cosets, just as in the example in Section 2 where the repetition code partitioned 
the space of three-bit binary numbers into four cosets. The decoder finds the 
codeword in the coset indexed by Ui which is closest to the side information 
Kf in Hamming distance. This codeword is denoted by Y^. The decoder then 
computes its estimate of the original source Xi, which is X" = © X". 

Unfortunately, the complexity of the decoder is not as easily quantified as 
the encoder, and is highly dependent on the particular code used. We don’t 
know the best achievable time for decoding in Csiszar’s result, but we suspect 
that it may be exponential in n. For instance, we could find the 1^" which is 
the maximum likelihood estimate of Fj" by exhaustive search through all of the 
codewords in the coset indexed by Ui, but the complexity of such a search would 
be exponential in n. 

Also, the super-polynomial complexity of the decoder raises a correctness 
issue for compressing encrypted data: There is, in general, no guarantee that 
the decoder’s error probability remains bounded by about Pe in Figure 3, since 
the PRG is not guaranteed to remain pseudorandom against distinguishers with 



This can be readily generalized to non-binary sources. The elements of U and H are 
then from the same field as X. 



2 
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super-polynomial running time. However, it seems reasonable^ to assume we 
can find a PRG whose security when used with K-bit keys is exp{l7(«;‘^)}, for 
some constant <5 > 0. In this case, we can choose parameters so that the PRG 
provides security against all distinguishers running in time \X\”', say, and then 
we will obtain a polynomial-time encoder and a decoder whose error probability 
is bounded by not much more than p^. 

In summary: Gsiszar’s result assures us of the existence of linear codes that 
provably meet the Slepian-Wolf rate, if our sources are memoryless. The en- 
coder runs in polynomial time, but the decoder is suspected to require exponen- 
tial time. (Note that our security results do not make any assumptions about 
the running time of the decoder; thus, our security claims for stream cipher 
encryption followed by Gsiszar-style encoding are fully proven, not heuristic.) 
Also, Gsiszar’s result is non-constructive. Gonsequently, though Gsiszar’s results 
suffice to show (in principle) that compression can be securely and efficiently 
performed after encryption, the scheme thus obtained is, in several respects, not 
very attractive in practice. 

3.2 Efficient Code Constructions 

For practical uses, we have candidate compression schemes that seem to behave 
much better. We outline next several such codes that seem to have reasonable 
encoding and decoding complexity (in particular, with polynomial running time) 
and that seem to come very close to the Slepian-Wolf bound. In each case, 
we have extensive empirical evidence that these schemes behave well, but no 
theoretically proven guarantees. In practice, one would probably use one of these 
schemes. 

The topic of linear codes (without side information) has been heavily studied 
in the coding literature, and several schemes are known that have computation- 
ally efficient, sub-optimal decoding algorithms. Turbo codes [8] and low density 
parity check (LDPG) codes [9] are two well-known examples. A class of LDPG 
codes known as expander codes were presented in [10] that were proven to have 
a polynomial-time decoding and to remove a constant fraction of the errors in a 
received codeword. Empirical results have consistently shown that LDPG codes 
have even better decoding performance than the proven bounds. 

Recently, a significant amount of work has focused on applying both LDPG 
codes [11,12] and turbo codes [13,14] to the problem of source coding with side 
information. The authors of [12] consider a problem where the Slepian-Wolf the- 
orem gives a bound of 0.466 bits/sample on the rate of the encoder. They used 
an LDPG code with block length 10® to compress the binary source to a rate of 
0.5 bits/sample and had a probability of error at the decoder that was less than 
10“®. These schemes are constructive, and they have computationally efficient 
encoding and decoding routines. Since we have shown that the problem of com- 
pressing encrypted data is an example of source coding with side information, 

® The existence of such a PRG is not guaranteed by the existence of one-way functions 
with super-polynomial security, but the usual candidate constructions of PRG’s all 
seem to achieve this security level. 
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we could obtain the same compression gains in our problem by using the same 
code. Thus, in practice, one would probably use one of these schemes. 

Using these constructions, we can efficiently compress any i.i.d. binary source 
that has been encrypted with a binary stream cipher. In theory, the encrypted 
source can be compressed to the entropy rate of the original source. In practice, 
by using LDPC or turbo codes, we can compress the encrypted source to a rate 
very close to the theoretical limit with a low probability of error. Obviously, if 

is a Bernoulli (0.5) binary source, then it has an entropy rate of 1 bit/sample 
and we cannot compress the encrypted source. For any i.i.d. binary source with 
redundancy, however, we can compress U to a rate close to H{X). The gap 
between the rate of the encoded data and H{X) is limited only by the code used 
in the encoder and decoder. In theory, a non-binary i.i.d. source could also be 
compressed to H{X). Constructing codes for non-binary sources is a problem 
that has not been studied thoroughly, but if such codes were constructed then 
they could be used in this problem. 

Note that in real-time applications, the use of block codes could prove prob- 
lematic. Because the compressor cannot produce any output until it obtains n 
plaintext symbols, these approaches might add latency to the cryptosystem. The 
amount of latency will depend on the block length required to achieve the desired 
compression rate. 



3.3 Other Encryption Algorithms 

Up to this point, we have considered only a stream cipher encryption scheme. In 
a more general case, we could imagine using any encryption method whatsoever. 
For a general encryption method, it is still theoretically possible to compress the 
encrypted source to the entropy rate of the original source. However, in this case 
Y and K will have a very complex, non-linear correlation structure, whereas 
with a stream cipher the correlation between Y and K was the linear relation- 
ship Y = K (B X. Because the correlation structure is now nonlinear, we can 
no longer leverage existing channel code constructions to construct distributed 
source codes. The source coding with side information problem becomes much 
more difficult with a nonlinear correlation structure, and is not well studied in 
the coding theory literature. 

The anonymous reviewers have pointed out that, in some cases, it may be 
possible to adapt our techniques to other encryption algorithms. If if is a secure 
encryption algorithm, then E'(X) = (E(K'), G(K') © A) is also secure (where 
K' is a fresh session key, randomly chosen for each message to be encrypted), 
and the second component of E'(X) could be compressed using our scheme. 

4 Cryptographic Security 

In this section, we provide an analysis of the cryptographic security of the en- 
cryption step of our system, and we give a proof of security under plausible 
assumptions. In brief, the intuition behind our analysis is as follows: First, no 
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computationally bounded attacker who observes V can learn anything interest- 
ing about X, if the pseudorandom generator (PRG) is secure. Second, because U 
is computable from Y in polynomial time, no computationally bounded attacker 
who observes U can learn anything useful about X. Since U is what is actually 
transmitted across the insecure link, this will demonstrate that the system is a 
secure encryption scheme. 

We will study the cryptographic security of the system in two steps. First, 
we will look at the case where the keystream K has been replaced with a 
Bernoulli (0.5) random variable. Then, we will extend this analysis to the case 
where K is the output of a PRG. Our main results will be stated as two theorems. 

We begin with the information-theoretic case, where K is truly random. If 
the keystream K is truly random, then the stream cipher becomes a one-time 
pad scheme, and security will follow easily. In particular, let R" be a source 
providing an unending stream of i.i.d. values uniformly distributed on {0, 1}*, 
chosen anew for each message transmitted independently of everything else (and 
assumed to be synchronized with the receiver). Let C : {0, 1}^ — >■ {0, 1}* be a 
compression algorithm, and define the cryptosystem Ek '■ {0,1}* — >■ {0,1}* by 
Eji{X) = C{X © K) (more precisely, E^^iXi) = C{Xi © Ki)). 

Theorem 2. When K is uniformly distributed, Ek{X) = C{X(BK) is (oo, q, 0)- 
LOR secure. 

Proof. Fix any x,x', and let K be uniform. The distribution a; © RT is identical 
to the distribution x' © K, hence C{x(BK) has exactly the same distribution as 
C{x' © K). This means that, no matter the distribution of the random variables 
X,X', {Ek o §o)(X, X') will have the same distribution as {Ek o §i)(X, X'). 
Gonsequently, 

I Pr[A*^^°§i = 1] - Pr[^*^^°§« = 1]| = 0 

for all adversaries A that make at most one query to their oracle. So, when q = 1, 
the scheme is (oo,l,0)-LOR secure. For g > 1, we can use a straightforward 
hybrid argument. Gonsider the following hybrids, representing how each of the 
q oracle queries will be answered: 

hybrid 0: Ek^ o §o,RiC 2 o §q,. . . ,Ek,, o §q 

hybrid 1: Ek^ o %i,Ek., o §q,. . . o §g 

hybrid q\ Ek^ o %i,Ek.^ o §i,. . . ,Ek,, o §i 

By the above argument, A’s output when run with hybrid i has the same distri- 
bution as ^’s output when run with hybrid z + 1 (here we use that the value of 
K is chosen anew for each oracle query, independently of everything else) . After 
a simple induction on q, we see that Ek is (oo, q, 0)-LOR secure. □ 

Next, we consider the full scheme, where the keystream K is generated using a 
PRG. More specifically, let the secret key K' be distributed uniformly on {0, 1}* , 
let G : {0,1}* — >■ {0,1}*® be a pseudorandom generator (PRG), and define 
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K = G{K'). As before, let C : {0,1}^ — >■ {0,1}* be a compression algorithm. 
This time, we will need to assume that the compression algorithm C runs in 
polynomial time. Finally, define the cryptosystem E'^^, : {0,1}^ — >■ {0,1}* by 
E'j^,{X) = Eg(^j^>){X) = C{X © G{K')); more precisely, E'j^,{Xi) = G{Xi © 
Ki), where K = G{K'). When this cryptosystem is used to encrypt multiple 
messages, we assume that we use consecutive outputs from the PRG, throwing 
away keystream bits after they are used. Of course, the encryptor must remember 
his place in the PRG output stream; hence, this is a stateful encryption scheme, 
and the sender and receiver must be synchronized. We now analyze the security 
of this cryptosystem. 

Theorem 3. Let G : {0, 1}^ — >■ {0, 1}^'^ he a {ti,e)-secure pseudorandom gen- 
erator, and assume that the running time of G is at most t 2 - Then E'j^,{X) = 
G{X © G{K')) is {t\ — (O + c)(j, q, 2e)-LOR secure, for some small constant c. 

Proof. Let Ex denote the encryption scheme when used with truly random K, 
and Eg(k') denote the scheme where the keystream K is generated as the output 
of the PRG, K = G{K'). By Theorem 2, 

Pr[^BKO§i ^ ^ ^ 

Next, we apply the triangle inequality: 

|Pr[^®G(K')°Sl ^ _ pr[^^^G(K')°§0 ^ 

< I Pr[A^G(K')°§i = 1] + Pr[A^^^°§0 = 1] - Pr[A®G(K')°So = 1]| 

< I Pr[A^G(K")°§l ^ _ Pr[^SK-°§l = 1]| + I Pr[A^G(K')°§0 ^ _ Pj.[^Bko§0 ^ 

We will show that both terms on the right-hand side are small. 

We can define an adversary Bi that attempts to distinguish between K and 
G{K') as follows: 

Bi can be thought of as a program that mimics the behavior of the attacker 
A and responds to A’s oracle queries by executing the basic cryptosystem with 
keystream z. If A runs in time t\ — t 2 Q — cq, and if G runs in time t 2 , then Bi 
will run in time G, since the extra overhead (beyond that of G) for answering 
each of A’s oracle queries is a small constant. Now, because the pseudorandom 
generator G is assumed to be (G, e)-secure and because Bi runs in time at most 
ti, it follows that Bfs advantage at breaking G is minimal: 

I Py[B,{G{K')) = 1] - Py[B,{K) = 1]| < e. 

Substituting the definition of Bi into the previous equation, we see that 

I Pr[A^c(K')0%i = 1] _ Pr[^SKO§, = i]| < e. 

This completes the proof. □ 

We see that the security of our encryption scheme is directly dependent on 
the security of the pseudo-random generator. If we believe that we are using a 
strong PRG, then the stream cipher encryption scheme will also be secure. 
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5 Related Work 

A problem closely related to source coding with side information has been stud- 
ied in the communication complexity literature (cf., [15, Exercise 4.55, p.64]). 
Suppose Alice holds a n-bit binary string X, and Bob holds S, chosen so that 
the Hamming distance between X and S is at most d. How many bits does it 
take for Alice to communicate X to Bob? 

This problem has a well-known solution [16,17,18] [19, §6] [20, Example 4] 
[21, Remark 5.1]: Pick any linear error correcting code E C {0, 1}" that corrects 
up to d errors; write X = C©[/, where C G is a codeword and [/ is a syndrome, 
and send U to Bob; Bob can apply the decoding algorithm to [/©S' = C©(X©S) 
to obtain C, and then Bob can compute X = C (BU . Also, if X and S are drawn 
from correlated i.i.d. binary sources, then for all e > 0, the Hamming distance 
between X and S is at most n- (Pr[A yf S] + e), except with exponentially small 
probability, so this yields a source coding algorithm with exponentially small 
decoding error for the special case of i.i.d. binary sources. 

As a result, one can build protocols for source coding with side information 
out of any high-rate linear error-correcting code. The best provable rates for 
explicit constructions can be found in [10,22]. 



6 Conclusions 

In this work, we have examined the possibility of first encrypting a data stream 
and then compressing it, where the compressor does not have knowledge of the 
encryption key. The encrypted data can be compressed using distributed source 
coding principles, because the key will be available at the decoder. Our principal 
contribution is in the observation that the problem of compressing encrypted 
data is a special case of the source coding with side information problem. We 
have studied both the compression efficiency and the cryptographic security 
aspects of this problem. It is an interesting open problem to extend our work to 
encryption schemes beyond the stream cipher. 
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Abstract. We explore the notion of a pseudo-free group, first introduced 
by Hohenberger [Hoh03], and provide an alternative stronger definition. 
We show that if Z* is a pseudo- free abelian group (as we conjecture), then 
Z() also satisfies the Strong RSA Assumption [FO97,CS00,BP97]. Being a 
“pseudo-free abelian group” may be the strongest natural cryptographic 
assumption one can make about a group such as Z* . More generally, we 
show that a pseudo-free group satisfies several standard cryptographic 
assumptions, such as the difficulty of computing discrete logarithms. 



1 Introduction 

Cryptographic schemes often work with finite groups in such a way that the 
security of the scheme depends upon an explicit complexity-theoretic assumption 
about computational problems in that group. 

For example, the RSA public-key cryptosystem [RSA78] works with the mul- 
tiplicative group Z* , where n is the product of two large primes. The security 
of RSA encryption depends upon the “RSA Assumption.” 

RSA Assumption: It is computationally infeasible for a probabilistic 
polynomial-time adversary, given an integer n that is the product of 
two sufficiently large randomly chosen primes, an integer e > 1 that is 
relatively prime to 4>{n), and an element a chosen randomly from Z*, to 
compute the x € Z* such that 

= a (mod n) 

with non-negligible probability.^ 

Similarly, the Cramer-Shoup cryptosystem and signature scheme [CS98, 
CS99] depend upon the “Strong RSA Assumption,” [F097,BP97]. which allows 
the adversary himself to choose an exponent e > 1. 

^ A function f{k) is considered to be a negligible function of k if for all constants c > 0 
and all sufficiently large k we have that \f{k)\ < l/k‘^. In the RSA Assumption, the 
phrase “non-negligible probability” is interpreted to mean a non-negligible function 
of log(n). 

M. Naor (Ed.): TCC 2004, LNCS 2951, pp. 505-521, 2004. 
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Strong RSA Assumption: It is infeasible for a probabilistic polynomial- 
time adversary, given an integer n that is the product of two sufficiently 
large randomly chosen primes, and an element a chosen randomly from 
Z* , to compute an x G Z* and an integer e > 1 such that 

= a (mod n) 

with non-negligible probability. 

Assuming that Z* is pseudo-free takes this progression one step further: the 
adversary may choose whatever equation he wishes and try to solve it, as long 
as the equation is “nontrivial” — unsatisfiable in the free group, with appropriate 
care for some details. The pseudo-free assumption is that the adversary will 
succeed with at most negligible probability. The assumption of pseudo-freeness 
may be made for any arbitrary finite group, such as an elliptic curve group or 
even a nonabelian group. We might call the assumption that Z* is pseudo-free 
the Super-Strong RSA Assumption. 

We explore the assumption that a group is pseudo-free or, more specifically, 
pseudo-free abelian, and show how it implies some of these other standard as- 
sumptions. Assuming that a finite group is pseudo- free thus appears to be quite 
a strong assumption. 

Why formulate and study such a strong assumption? Doesn’t this go against 
the traditional style of making only the minimal complexity-theoretic assump- 
tions necessary for a cryptographic scheme or protocol? Perhaps, but we provide 
the following motivation and justifications. 

• It seems quite plausible that Z* (for n the product of two sufficiently large 
randomly chosen primes) is in fact pseudo-free. 

• Making stronger assumptions may make proofs easier (this is especially use- 
ful for pedagogic purposes). 

• It may turn out that the pseudo-freeness is not a “stronger” assumption 
after all — it may be implied by simpler assumptions, perhaps more standard 
ones. 

• Reasoning in a free group can be quite simple and intuitive, so assuming 
pseudo-freeness allows one to capture “natural” security proofs in a plausible 
framework. (This was Hohenberger’s [Hoh03] motivation.) 

Section 2 provides some mathematical background, and then Section 3 devel- 
ops the definition of a pseudo-free group. Section 4 studies some of the implica- 
tions of assuming that a group is pseudo- free. Section 5 considers some variations 
and generalizations of the basic definition, and then Section 6 discusses further 
issues related to the notion of a pseudo-free group. Finally, Section 7 provides 
some conclusions and lists some open problems. 
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2 Mathematical Background 

2.1 Mathematical Groups 

We first restate the definition of a mathematical group. 

Definition 1. A group G = (S,o) consists of a set S of elements, and a binary 
operator o defined on S, such that: 

Closure: For all elements x,y € S, we have x o y & S. 

Identity: There is an element 1 G S' such that for all elements x € S, 
xol = lox = x . 

Associativity: For all elements x,y,zGS, x o {y o z) = {x o y) o z . 
Inverses: For every element x € S, there is an element y € S such that 
xoy = yox=l . 

We use multiplicative notation: ab means a o b. The inverse of x is denoted 
x~^. We let G also denote the set S. A group G is finite iff |S| is finite. A 
group G is abelian if o is commutative: for all x,y € G, xy = yx. We use the 
usual exponent notation: a® is the word aaa ... a of length e, and a“® is the 
corresponding inverse word a~^a~^ ... a~^ of length e. 



2.2 Computational Groups 

A mathematical group G has some representation [G] when used in cryptogra- 
phy. We call such a representation [G] a computational group implementing an 
underlying mathematical group. Many computational groups may implement the 
same mathematical group. 

In a computational group [G] , each element x G G has one or more represen- 
tations as a finite-length bit string [x]. We often omit brackets, understanding 
that each element has such representation(s). When G is finite, it is convenient 
to assume that there is a common bit-length N such that any representation of 
any element of G requires exactly N bits. 

A computational group provides efficient (polynomial-time) algorithms for 
all of the following operations: ^ 

Composition: Given (representations of) group elements x and y, com- 
pute (a representation of) x o y. 

Identity: Compute (a representation of) the identity element 1. 

Inverses: Given (a representation of) an element x, compute (a repre- 
sentation of) x~^. 

Equality Testing: Given (representations of) any two elements x,y G 
G, determine if x = y. 

^ Hohenberger [Hoh03] studies a variant where inversion is not efficiently computable, 
at least by the adversary, and relates such groups to transitive signatures schemes. 
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Sampling: (Only if G is finite.) Return (a representation of) an element 
chosen uniformly at random from G, or in a manner that is indistin- 
guishable from uniformly at random to a probabilistic polynomial- 
time (PPT) adversary. We denote such a procedure as x Gr G. 

As a running example: given n, the product of two large primes, anyone, 
including an adversary, can efficiently do all the group operations in Z*, using 
the usual representation of elements as residues modulo n. 



2.3 Black Box Groups 

The parties in a cryptographic protocol may access the group in a hlack-hox man- 
ner, a notion introduced by Babai and Szemeredi [BS84] (see also Babai [Bab97], 
and see Boneh and Lipton [BL96] for extension of the black-box notion to fields) . 

Under the black-box assumption, each element of the computational group is 
a bit string of some common length N, and “black-box” subroutines are available 
for the group operations. ^ 

The black-box assumption is that group operations may only be performed 
using the supplied implementations. Furthermore, the representation of group 
elements is “opaque”: operations on them other than through the black-box 
routines are forbidden. ^ 

It is natural to ask if there are black-box algorithms for various group- 
theoretic problems. The black-box assumption is reasonable for algorithm design; 
it amounts to a convention or a self-imposed restriction on what operations may 
be performed. To find an efficient algorithm under the black-box assumption is 
then a satisfying result; no unusual “tricks” are required. 

For example, Tonelli and Shanks [BS96, Section 7.1] [Coh93, Section 1.5.1] 
give a probabilistic black-box algorithm for computing square roots in Z*; it 
finds the black-box representation [x\ of a value x satisfying 

x^ = a (mod p) 

given the black-box representation [a] of a (assumed to be a quadratic residue), 
and also given the prime p. Other algorithms for this problem, such as 
Cipolla’s [BS96, Section 7.2], violate the black-box assumption for Z* by uti- 
lizing both field operations available in Fp. 

If no efficient black-box algorithm can be found for a problem, then the black- 
box assumption may be too restrictive. For example, Shoup [Sho97] proves lower 
bounds for discrete logarithms and other problems in the black-box group model. 

® For Babai JBab97], these operations include all but sampling, as he studies the 
implementation of the sampling procedure itself. 

In some applications side information snch as the size or structure of the underlying 
group, such as the fact that the group is cyclic, is known, even though the group’s 
representation is otherwise “black-box;” we don’t consider such side information 
here. 
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However, we are studying here not algorithmic efficiency, but cryptographic 
security. A typical adversary may willfully violate any black-box assumption: he 
may examine the bits of any representation or examine the code implementing 
any group operation. 

Consider our running example: Z* . Here an adversary is given n, and code 
for composition (i.e., for multiplication modulo n). Nothing prevents him from 
examining this code or the bit-level representations of elements, or from using 
methods such as “index-calculus methods” [SS98] not allowed under a black-box 
assumption. 

Therefore, we do not make black-box assumptions. ^ We assume that an 
adversary may use any available information and may use methods that depend 
upon representation or implementation details. The adversary has “non-black- 
box” access to the group implementation. Whether a group is pseudo- free may 
then depend on the details of its representation as a computational group; one 
should properly speak of whether a computational group is pseudo-free or not. 
In any case, for our purposes it will be relevant that an equation is satisifiable in 
a mathematical group if and only if it is satisfiable in any computational group 
representing it. 

2.4 Free Groups 

Free groups are infinite groups derivable from a given set of generators that have 
no non-trivial relationships. 

Free groups are defined formally as follows. (See also Gutierrez [GutOO], for 
example.) Let A = {oi, a2> • ■ • , cik} be a nonempty set of distinct symbols, which 
are the generators of a free group. For each such symbol a^, let a~^ be a new 
symbol representing the inverse of a*. Let A~^ denote the set {a~^ | Oj € A}, 
and let A^^ denote A U A~^\ A'^^ is the set of symbols for the free group with 
set A of generators. 

We let F{A) denote the free group defined by the set A of generators. We 
may equivalently write F(oi, 02, . . . , Ok) when A = {oi, 02, . . . , Ofe}. Elements of 
this free group may be represented as words (sequences of symbols of this free 
group). As an example, the word 

0-10-2 ^0-20]^ ^0-3 ^02 

represents an element of F (a 1, 02, 03, 04). 

A word may be simplified, or reduced, by repeatedly eliminating any two 
adjacent inverse symbols; the resulting word is equivalent to the original. Thus, 
the word in the above example is equivalent to af^a2- A word that can not be 
reduced further is reduced or in canonical form. 

The elements of a free group are thus words in canonical form. One could 
alternatively define the elements to be equivalence classes of words. 

The operation o for a free group is concatentation followed by simplification. 
For example, 0402 o = 01020^^03 = 0403. 

One could easily develop a theory of black-box pseudo-free groups. 
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The identity for a free group is the empty word e. Two words represent the 
same element of a free group if their reduced forms are the same. The inverse of 
a word is just the reverse of the word, with each symbol replaced by its inverse. 
The operator o is closed and associative — for a proof see, for example, Lyndon 
and Schupp [LS77, Chapter I]. 

A free group on at least one generator is an infinite group, since there are an 
infinite number of distinct words in canonical form (e.g. {a^}). 

Since a free group is infinite, it is not possible to even approximately imple- 
ment uniform sampling. However, it is easy to construct a computational group 
that implements a free group on a countable set of generators except for the 
uniform sampling requirement. 

We note that if A C _B, then F{A) is a subgroup of F{B). 

2.5 Free Abelian Groups 

A free abelian group F A{a\,a2, ■ ■ ■ ,ak) is defined similarly to ordinary free 
groups, except that the group is abelian. Thus, for any pair of symbols a and b, 
we may replace the sequence ab by the sequence ba and preserve equivalence. 

Commutativity enables one to define the canonical form for a word in 
FA(ai, 02, ..., a;) to be a word of the form: 



for some integers ei, 62, . . . , e;. It is well known that FA(oi, 02, . . . , o/) is iso- 
morphic to the /-fold direct sum Z © Z © • • • © Z. We could represent an element 
al^a2^ ■ ■ - a^‘ of FA{ai, 02, ... , a;) by the vector (ei, 62, ... , ei), and implement 
o with vector addition. 

3 Pseudo-Pree Groups 

A cryptographic scheme may utilize a particular mathematical group G; all 
parties have access to a computational group [G] representing G. 

Intuitively, a group is pseudo-free if it is indistinguishable from a free group. 
A free group has no surprising or anomalous identities; the only truths are those 
implied by the axioms of group theory. 

Thus, informally, we say that a finite group G is pseudo-free if a probabilis- 
tic polynomial-time adversary can not efficiently produce an equation E and a 
solution to A in G where E has no solution in the “corresponding free group.” 
Of course, we need to define what we mean by “corresponding free group.” 

Assuming that a finite group such as Z* is pseudo-free is thus a complexity- 
theoretic assumption, similar to but stronger than the RSA Assumption or the 
Strong RSA Assumption. 

This assumption turns out to be very strong, as it implies several standard 
cryptographic assumptions (at least for G = Z*). Nonetheless, it seems a plausi- 
ble assumption in some cases, and it may be useful for new applications. In any 
case, we find its formulation and elaboration interesting. 
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For example, in a free group (abelian or not), there is no solution to 

= a (1) 

where x is a variable ranging over group elements, and a is a generator of the free 
group, since for any value of x the reduced form of has even length. However, 
the corresponding equation in Z* , 

x^ = a (mod n) , (2) 

has a solution if a is a square in Z* . A solution to such a corresponding equation 
“proves” that Z* is different than the corresponding free group. 

The adversary may not claim that G is distinguishable from a free group 
merely because G is obviously finite, for example, because the elements of G all 
have iV-bit representations. We insist on a different kind of proof: the adversary 
must provide a solution to an equation in G whose “corresponding equation” in 
a free group has no solution. 

3.1 Equations in Free Groups 

Let H denote a free group, such as F(oi, 02, . . . ,ai) or FA(ai, a2, • ■ • , o;)- 
Let Xi, X2, . . . , Xjn denote variables that may take values in H. 

An equation in H takes the form 



Wi = W2 



where w\ and W2 are words formed from the symbols of H and from the variables 
xi, X2, . . . , Xm- One can always put such equations in a “canonical form” of the 
form u; = 1 for some word w. 

As an example, in E (a 1,02) the equation 

OiXi = X2fl^^ , 

has many solutions (xi,X2), such as (a^^,oi) or (1,0102). 

Equations that have solutions in the free group are called satisfiable, others 
are called unsatisfiable. 

Our definition of a pseudo-free group depends on being able to distinguish 
effectively between satisfiable and unsatisfiable equations in a free group. 

Can one decide whether a given equation is satisfiable or not? Fortunately, 
one can. In 1982 Makanin [Mak82] showed that it is decidable whether or not 
an equation in the free group is satisfiable. More recently Gutierrez [GutOO] has 
shown that this problem is decidable in PSPACE. For our use, these results are 
quite sufficient; the decision procedure need not be in polynomial-time. 

When the free group is the abelian group FA(oi, 02, . . . , a;) it is easy to 
determine whether a given equation is satisfiable: the equation can always be 
rewritten in the form: 



d\ ^d 2 






a 



ei 

I 
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for integers di, ^ 2 , . • . , dm, ei, 62 , . • . , e;. Such an equation is satisfiable iff for all i, 
1 < i < I, we have 

gcd((fi , C? 2 , • • • , dm ) I ■ (H) 

One can prove that this statement holds for I = 1 and that such solutions can 
be combined for larger 1. 

An equation that is satisfiable in F{A) is also satisfiable in F A{A) (but not 
necessarily conversely) . This is useful since it provides an easy way to prove that 
an equation is unsatisfiable in a free group: merely prove that it is unsatisfiable 
in the corresponding free abelian group. 

3.2 The Correspondence 

Given an equation that is unsatisfiable in a free group F{A), what counts as a 
“corresponding equation” in a given group G? 

We have to be a little careful, since there are trivial cases to avoid. For 
example, the previously mentioned quadratic equation: 

= a , 

which is unsatisfiable in F{a), may have “trivial” solutions in Z*, depending 
on how the element in Z* corresponding to the generator a of the free group 
is selected. For example, if the adversary is allowed to specify that a = 4, then 
there is clearly the trivial solution x = 2. 

We resolve this issue (following Hohenberger’s thesis [Hoh03]) by requiring 
that when making the correspondence between interpreting the equation in the 
free group and interpreting it in G, each of the generators Oi must correspond to 
an independently generated random element of G. 

The adversary thus has no control over the choice of elements in G that are 
to correspond to the generators in the free group. 

Thus, for example, the adversary must take the square root of a randomly 
chosen element a G Z* in order to demonstrate an acceptable solution to the 
above equation, when G is the group Z* . 

This requirement that generators in the free group correspond to randomly 
chosen elements of G fits naturally with common cryptographic usage where, for 
example, one party publishes randomly-chosen elements g and h such that finding 
the discrete logarithm of h base g is assumed to be hard. For the adversary, the 
randomly chosen elements g and h are the “generators” of the group he must 
attack. 

Informally, an adversary succeeds in distinguishing G from a free group if he 
can produce: 

• An equation E that is unsatisfiable in the free group, where this equation 
has variables Xi, X 2 , ■ ■ ■ , Xm and generators ai, a^, ■ ■ ■ , ai. 

• A sequence a\, . . . ,ai of values produced as random samples from the group 
G, to use as values for the generators oi, 02 , . . . , a/. (If the inverse symbols 
a~^ are used, then they are to be replaced by the inverses of the randomly 
chosen values.) 
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• Values for the variables xi, X2, • • • , Xm that satisfy the equation produced 
in G. 

This definition allows the adversary to choose the equation himself, as long 
as the equation is unsatisfiable in the free group. This generalizes the situation 
for the Strong RSA assumption, where the adversary may choose the exponent 

e. 

For efficiency in describing his equation, the adversary may use “exponential 
expressions,” such as a{{ax)^^^x^'^), (see [GutOO, Section 2.2.1]), or even the 
mathematically equivalent but potentially more compact notation of algebraic 
straight-line programs, as proposed in Hohenberger [Hoh03]. 

The adversary need not produce a proof that the equation is unsatisfiable in 
a free group, since this can be verified directly using Makanin’s or Gutierrez’s 
algorithm. (One could alternatively require the adversary to produce an equa- 
tion whose unsatisfiability can be verified in polynomial time, or to produce a 
polynomial-size proof of unsatisfiability; we do not study such a restriction here, 
since the impact of assuming pseudo- freeness is to support the infeasibility for an 
adversary to solve the equation, not to support using the equation in a protocol.) 
We make our definition more precise as follows. 

Definition 2. A family G = {Gk ■ k > 0} of finite computational groups is 
pseudo-free if: 

— All operations in Gk can he performed in time polynomial in k. 

— For every probabilistic polynomial-time adversary A, for every polynomial 
p{‘), if ai,a2, . ■ ■ ,ap(k) are elements chosen uniformly and independently at 
random from Gk, then the probability 

Pr[A{Gk, ai, a2, ■ . ■ , ap^k)) = {E, (3i, P2, ■ ■ ■ , fdm)] 

where A is given access to the routines implementing the group Gk as well 
as the elements a\, 02, • ■ • , o.p{k)> and where 

E E{^x\, X2 , . ■ . , ai , 02 , • ■ • , ap(^k ) ) 

is an equation over the free group F{ai,a2, ■ ■ ■ ,ap(k)) with variables 
xi, X2, ..., Xra such that E is unsatisfiable in F(oi, 02, . . . , ap(fe)) but 
i?(/3i, /?2, • ■ • , Pm', 0:1, a2, ■ ■ ■ , cXp(^k)) is true in Gk, is a negligible function of 

k. 

This definition refers to a family of computational groups, but one may apply 
it to a family of mathematical groups with the understanding that the groups 
are implemented in some standard way as computational groups. One may also 
wish to specify whether the adversary has black-box access or non-black-box 
access to the group. 

If the groups Gk are abelian, then we may also say that G is pseudo-free 
abelian, although we prefer just saying that G is pseudo-free when, as in the case 
^ = {2*}, the groups are obviously abelian. 
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4 Pseudo-Freeness Implies Many Other Cryptographic 
Assumptions 

If G is pseudo-free, then several standard complexity-theoretic assumptions 
follow. We look at the six fundamental problems studied by Lipschutz and 
Miller [LI71], and then examine other standard cryptographic assumptions, such 
as Diffie-Hellman. 

Lipschutz and Miller [LI71] consider six fundamental problems: the order 
problem [solving = 1 for e], the power problem (aka the discrete logarithm 
problem) [solving = b for e], the root problem (aka the RSA problem) [solving 
= a for x], the proper power problem (aka the strong RSA problem) [solving 
X® = a for X and e > 1], the generalized power problem [solving = b^ for 
nonzero e, /], and the intersection problem for cyclic subgroups [solving a® = 
6-^ yf 1 for e, /]. They show these problems are independent: for each pair of 
problems there is a group such that one problem is solvable (i.e. satisfiability 
of the relevant equation is decidable) while the other problem is unsolvable. 
These problems, while studied with respect to their decidability, are familiar 
ones for the cryptographer; we explore their satisfiability in the free group, and 
consequent implications for pseudo- free groups. 

4.1 Order Problem 

The order problem in G is the following: given an element a G G, to determine 
a positive integer e (if any exist) such that 

a® = 1 . (4) 

The least positive such value e is the order of the element a in the group G. In 
a free group all elements except the identity have infinite order, implying the 
following theorem. 

Theorem 1. In a pseudo-free group G, it is infeasible for an adversary to de- 
termine the order of a randomly chosen element a. 

4.2 Discrete Logarithm Problem 

The discrete logarithm problem in G is: given elements a and b from G, to 
determine an integer e (if any exist) such that 

a® = 6 ; (5) 

the value e is a “discrete logarithm” of 6, to the base o, in the group G. 

This problem is often assumed to be hard, for specific groups G; in their clas- 
sic paper [DH76b], for example, Difhe and Heilman assumed that this problem 
was hard in Z* for large primes p. (See also [DH76a] for a slightly earlier usage.) 

In F{a,b) and F A{a,b) equation (5) never holds, for any value of e. Since 
a and b are distinct generators, the two sides of the equation are variable-free 
constant expressions that can not be equal. 
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Theorem 2. In a pseudo-free group, the discrete logarithm problem is infeasible 
for an adversary to solve, for randomly chosen values a and b. 

4.3 RSA Assumption 

In the free group F{a) or F A{a) the equation 

= a (6) 

has no solution, for any fixed value of e > 1. (It has no solution in FA{a), by 
our previous discussion of the condition of equation (3).) 

Theorem 3. In a pseudo-free group, the RSA assumption holds. 

4.4 Strong RSA Assumption 

The Strong RSA Assumption, defined earlier, was introduced by Baric and Pfitz- 
mann [BP97] and also by Fijisaki and Okamoto [F097]. 

The ability of an adversary to himself choose an exponent e > 1 does not 
affect the satisfiability of equation (6) in a free group. 

Theorem 4. In a pseudo-free group, the Strong RSA Assumption holds. 

Similar equations, such as 

, 

where the adversary is given a and must find x, e, and / such that e > 1 and 
gcd(e, /) = 1, are also infeasible for the adversary to solve in pseudo-free groups; 
indeed this problem equivalent to solving the strong RSA problem since = a 
where x = x^ and ee' -I- //' = 1 (see [CS99, Lemma 1]). 

4.5 Generalized Power Problem 

The generalized power problem is: given group elements a and b, to find nonzero 
integers e, / satisfying 

a^ = bf . (7) 

Theorem 5. In a pseudo-free group, it is infeasible for an adversary to solve 
the generalized power problem. 

4.6 Intersection Problem for Cyclic Subgroups 

The intersection problem for cyclic subgroups is: given group elements a and b. 
to find integers e, / such that 

a^ = bf . (8) 

Theorem 6. In a pseudo-free group, it is infeasible for an adversary to solve 
the intersection problem for cyclic subgroups. 
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4.7 DifRe-Hellman Assumption 

Interestingly, the (computational) Diffie-Hellman problem seems not to fit within 
our formalism. It is a very interesting open problem whether the Diffie-Hellman 
assumption is implied by pseudo-freeness. 

The Computational Diffie-Hellman problem (CDH) is the following: given a 
value g, and two values 



(9) 

( 10 ) 

for large randomly chosen integers e and /, to compute 



a = / 
b = , 



x = g^f . ( 11 ) 

The CDH assumption is that an adversary will have a negligible chance of com- 
puting X, given a and b. The natural way of trying to show that the CDH 
assumption is implied by pseudo-freeness is via equations (9)-(ll), where e and 
/ are integer- valued variables, and x is a group element variable (see section 5). 
However, this argument fails because an adversary who violates CDH to com- 
pute X need not be able to find e and / (this is DTP). There doesn’t seem to 
be any equation in variable x alone (i.e., without e, /) available to verify that 
an adversary has correctly computed x. In other words, the decisional Diffie- 
Hellman problem doesn’t seem to be solvable by verifying an appropriate set of 
equations involving the single unknown x. 



5 Generalizations 

In this section we discuss some variations and generalizations on the basic notion 
of pseudo-freeness. 



5.1 Multiple Equations 

Mal’cev [Mal60] (see also [KM, Lemma 3 and Corollaries 2-3]) shows that for 
any finite set of equations in the free group, one can construct a single equation 
having exactly the same set of solutions. Thus, we may consider sets of simul- 
taneous equations as equivalent to a single equation. The method is based on 
showing that the two equations x = 1, y = 1 are equivalent to the single equation 
= {ybyb~^Y. 

For abelian groups, it is easy to determine if a set of equations is satisfiable; 
one may apply standard techniques for solving a set of simultaneous equations 
over the integers (see Artin [Art91, Section 12.4], for example). 

These results allow us to permit the adversary to produce a set of simulta- 
neous equations rather than just a single equation, without loss of generality. 
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5.2 Adversary Must Prove That Equation Is Unsatisfiable in the 
Free Group 

One could require that the adversary provide a polynomial-time checkable proof 
that the equation he produces is indeed unsatisfiable in the corresponding free 
group. However, this restriction seems somewhat pointless, since the reason for 
assuming pseudo-freeness anyway is to conclude that finding an equation to- 
gether with its solution should be infeasible. 



5.3 Generation of a’s 

Instead of providing random a’s to the adversary directly, one could allow the 
adversary to produce them himself, as long as they are guaranteed to be “ran- 
dom” in some way. 

For example, the adversary might be allowed to use a hash function with 
range G to derive the relevant a. If the hash function is pseudorandom, or can 
be modeled as a random oracle [BR93], then its output could be considered as 
an acceptable a for purposes. 

Similarly, if the output of h is an integer, then we may be able to accept 
as an acceptable element a from G for our purposes. The essential criterion for 
sampling is that the adversary should have no control over the element chosen, 
and it should be reasonable to model the element chosen as being independently 
chosen (approximately) uniformly at random from G. 

The values a supplied might also be constrained to ensure that a solution in 
G exists; we don’t pursue this variant further here. 



5.4 Generalized Exponential Expressions 

In the most general form of exponential expressions, the exponents may them- 
selves be integer-valued variables. Consider for example, the equation (ax)®6 = 

in F{a,b) where cc is a variable ranging over group elements and e, / are 
integer-valued variables. This equation is satisifiable, for example, with x = h, 
e = 0, / = 1. It is an open problem how to decide if such equations, contain- 
ing both element-valued variables and integer-valued exponent variables, are 
satisfiable — see Problem 3 in Section 7. 

We may nonetheless allow an adversary to use these general exponential 
expressions, with variable exponents, because it is still possible to verify that 
the adversary has “done the impossible.” The adversary produces an equation E 
with variable exponents, and also a solution that satisfies E. If E is unsatisfiable, 
then so is the equation E' obtained by substituting into E the exponent values 
supplied in the adversary’s solution. One can then verify that E' is unsatisfiable 
using Makanin’s algorithm. 

Hohenberger uses straight-line programs in her definition of “equation” or 
“identity”, a natural further generalization of the exponential expressions, which 
could also be allowed here. 
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5.5 Adaptive Attacks and Side Information 

It may be possible generalize the definition of pseudo-freeness here to handle 
adaptive attacks and other forms of “side information.” How might the definition 
of pseudo-freeness change if side information, such as the order of the group, is 
known? Is there a reasonable way to do this? Similarly, how can the notion 
of pseudo-freeness be adapted to handle adaptive attacks, where the adversary 
may obtain a solution to an equation before having to provide a different solution 
(perhaps with new generators)? 

6 Discussion 

We compare our definition of a pseudo-free group with that given in Hohen- 
berger’s thesis. Her work is motivated by transitive signature schemes, and does 
introduce the critical correspondence between elements drawn from G at random 
and generators in the free group. 

However, Hohenberger doesn’t use variables, which are necessary for setting 
up equations and showing how pseudo-freeness implies other cryptographic as- 
sumptions, and she doesn’t address the decidability of determining which equa- 
tions are satisfiable in a free group. Also, her definition requires that an adversary 
have only “black-box” access to G. 

7 Conclusions and Open Problems 

We have taken the definition of pseudo-free group introduced by Hohen- 
berger [Hoh03] , strengthened it, and shown how it implies a number of other well- 
known cryptographic assumptions. While stronger than many previous cryp- 
tographic number-theoretic assumptions, pseudo-freeness seems fairly natural, 
worthy of study in its own right, and quite plausible for commonly used groups. 

The study of pseudo-freeness yields some intriguing open problems and con- 
jectures. We begin with our main conjecture. 

Conjecture 1 (Super-Strong RSA Assumption). Z* is pseudo-free. 

The next open problem is to relate the Diffie-Hellman assumption to pseudo- 
freeness. 

Conjecture 2 (Dijfie- Heilman holds for Pseudo-free groups). In a pseudo-free 
group, both the computational and decisional Diffie-Hellman assumptions hold. 

The following interesting problem, discussed briefly earlier, also appears to 
be open. 

Conjecture 3. It is decidable whether a given equation (or set of equations) with 
constants is satisfiable over a free group, when the equation is written in expo- 
nential notation and may have integer- valued variables in the exponents. 
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Here is a (satisfiable) example of such an equation: a{{abYy)-^b = where 
X and y are variables (over the group), a and b are constants (group elements), 
and e and / are integer-valued variables. Some partial results are known [Lyn60, 
LI71,CE84]; the introduction to [CE84] gives a brief survey. This problem may 
also be open over semigroups. 

Another open research direction is to explore ways of showing that a group G 
is not a free group, other than by demonstrating the solution to an equation that 
has no solution in a free group. For example, some statement of the elementary 
theory of free groups may be (say) false, but provably true in G. Kharlampovich 
and Myasnikov [KM98] have shown that the elementary theory of a free group 
is decidable, even if constants are allowed, a much more general result than 
determining whether a given equation is satisfiable in the free group. 

The theory of pseudo-free groups might also be expanded to handle cases 
such as Z*] this group is typically not pseudo- free, since the size of the group is 
presumably known in a typical implementation. 

Finally, we note that we have only scratched the surface of the study of 
adaptive attacks against cryptographic schemes defined on pseudo-free groups; 
much work remains to be done here. 
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